Increased botnet activity targeting vulnerability(CVE-2023-28771) in Zyxel devices has become a major concern to its users.
This vulnerability lets the unauthorized attacker execute the arbitrary code by sending a specifically crafted packet to the targeted device.
Since CISA added this vulnerability to the Known Exploited vulnerability, the surge of the attack has increased, and the severity of the flaw is rated as 9.8.
According to FortiGuard researchers, multiple botnets, including Dark.IoT-a variant based on Mirai and botnet that can perform customizable DDOS attacks was involved in targeting the vulnerability.
Analysis of Attack:
The traffic has been observed across multiple regions, such as Central America, North America, and East and South Asia.
Threat actors specifically target the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices.
Later, They utilize curl or wget tools to download scripts to tailor MIPS architecture for further malicious actions.
The initial scripts downloaded rename themselves and execute zywall parameters to ensure the connectivity of ZyXEL vulnerability.
Additional scripts associated with Rapperbot malware were downloaded from a different server which further downloads MIPS script files to make persistence.
This shows threat actors utilized multiple servers for this campaign to compromise the ZyXEL devices.
Threat actors update their tactics and techniques frequently within a short time frame to maximize the compromised device.
As said earlier, one of the botnets employed by the threat actor is Dark—Iot which utilizes an openNIC server for DNS resolution and communication with the C2 server.
Once the victim system receives the attack command, it starts a DDoS attack on a specific IP address and port number. One example of this DDoS attack traffic is shown below.