Headline
Mirai Malware Hits Zyxel Devices After Command Injection Bug
By Deeba Ahmed A variant of the Mirai botnet is targeting Zyxel Firewalls after exploiting a newly patched operating system command injection vulnerability. This is a post from HackRead.com Read the original post: Mirai Malware Hits Zyxel Devices After Command Injection Bug
Zyxel informed its customers about the security flaw on 25 April 2023 and announced patches for impacted firewalls, which included USG Flex, ATP, ZyWALL/USG, and VPN.
A variant of the Mirai botnet has successfully hacked various Zyxel Firewalls after exploiting a newly patched operating system command injection vulnerability (CVE-2023-28771). The bug has affected many Zyxel network devices, and now that the Mirai botnet is controlling it, the problem can worsen as it can lead to launching DDoS attacks.
According to Palo Alto Networks’ Unit 42 researchers, who analyzed the downloaded samples, the Mirai botnet sample hacking Zyxel firewalls is called IZ1H9, which was discovered in August 2018. Researchers dubbed it the most active of all Mirai variants.
The botnet client first inspects the network portion of the compromised device’s IP address and avoids execution for a specific list of IP blocks. This includes government networks, tech firms, and internet providers.
The malware prints “Darknet” onto the console to make its presence felt. It also can ensure the device runs just one instance of the malware. If a botnet process is found on the device, the Mirai botnet client will terminate its current process and start a new process from its list of processes belonging to other variants of the Mirai botnet and other families.
Any product running vulnerable firmware can be exploited even if the user configures the VPN or is in a default state. Mirai operators now own various Zyxel SMB VPN Boxes.
How Was the Bug Discovered?
The vulnerability impacting Zyxel devices was discovered by Trapa Security. It occurred due to inappropriate message handling features in some firewalls that could allow an unauthorized actor to remotely execute OS commands by transmitting specially designed packets to the device. The Internet Key Exchange – IKE is the vulnerable component, explained a report from Rapid7.
Zyxel informed its customers about the security flaw on 25 April 2023 and announced patches for impacted firewalls, which included USG Flex, ATP, ZyWALL/USG, and VPN.
Users Must Immediately Patch Devices
CVE-2023-28771 was patched in April 2023. However, many users have yet to apply the fix, leading to this mass exploitation of vulnerable devices. Researcher Kevin Beaumont informed about the mass exploitation of this vulnerability by the Mirai botnet variant on Thursday, impacting several SMB appliances.
Security experts have urged Zyxel network services users to patch the flaw immediately. A few days back, Rapid7 had warned about the possibility of the bug being exploited in the wild. They do not claim that 42,000 instances of internet-exposed web interfaces of Zyxel devices have surfaced. But Rapid7 researchers believe the number of compromised devices may be much higher. The Mirai malware targeting Zyxel firewalls is distributed as a Unix and Linux executable in linkable format (.elf).
Zyxel is a Taiwanese networking device manufacturer. The company recently fixed two more flaws impacting its firewalls- CVE-2023-33009 and CVE-2023-33010. Both buffer overflow flaws can let an adversary launch a DoS attack or execute arbitrary code on the device.
RELATED ARTICLES
- Mirai botnet exploiting Azure OMIGOD vulnerabilities
- Mirai botnet resurfaces with MooBot, hits D-Link devices
- Attacker builds malware variant with leaked Mirai source code
Related news
By Deeba Ahmed The attacks, potentially linked to Russian APT Sandworm, exploited vulnerabilities in Zyxel firewalls. This is a post from HackRead.com Read the original post: Forescout Report Uncovers New Details in Danish Energy Hack
The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings from Forescout show. The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software version 4.0.4.0 could allow an authenticated local user to gain a privilege escalation by sending a crafted CREATE message.
Russian threat actors have been possibly linked to what's been described as the "largest cyber attack against Danish critical infrastructure," in which 22 companies associated with the operation of the country's energy sector were targeted in May 2023. "22 simultaneous, successful cyberattacks against Danish critical infrastructure are not commonplace," Denmark's SektorCERT said [PDF]. "The
Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical flaw in Zyxel devices that came to light in April 2023 to gain remote control of vulnerable systems. "Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America,
By Waqas The DDoS attacks have been observed in various regions, including Central America, North America, East Asia, and South Asia. This is a post from HackRead.com Read the original post: Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage (NAS) devices that could result in the execution of arbitrary commands on affected systems. Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability. "The pre-authentication command injection vulnerability in some Zyxel
This Metasploit module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive), VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The affected devices are vulnerable in a default configuration and command execution is with root privileges.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, are buffer overflow vulnerabilities that could enable an unauthenticated attacker to cause a
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting different firewall models that could enable an unauthenticated attacker
Categories: Exploits and vulnerabilities Categories: News Zyxel has released a security advisory about two critical vulnerabilities that could allow an unauthorized, remote attacker to take control of its firewall devices. (Read more...) The post Zyxel patches two critical vulnerabilities appeared first on Malwarebytes Labs.
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution. Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system. A brief description of the two issues is below - CVE-2023-33009 -
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution. Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system. A brief description of the two issues is below - CVE-2023-33009 -
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution. Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system. A brief description of the two issues is below - CVE-2023-33009 -
A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw. "Improper error message handling in some firewall versions
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.