Critical Zyxel Firewall Injection Flaw Exploited

Increased botnet activity targeting vulnerability(CVE-2023-28771) in Zyxel devices has become a major concern to its users.

This vulnerability lets the unauthorized attacker execute the arbitrary code by sending a specifically crafted packet to the targeted device.

Since CISA added this vulnerability to the Known Exploited vulnerability, the surge of the attack has increased, and the severity of the flaw is rated as 9.8.

According to FortiGuard researchers, multiple botnets, including Dark.IoT-a variant based on Mirai and botnet that can perform customizable DDOS attacks was involved in targeting the vulnerability.

Botnet activity

Analysis of Attack:

The traffic has been observed across multiple regions, such as Central America, North America, and East and South Asia.

Threat actors specifically target the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices.

Later, They utilize curl or wget tools to download scripts to tailor MIPS architecture for further malicious actions.

The initial scripts downloaded rename themselves and execute zywall parameters to ensure the connectivity of ZyXEL vulnerability.

Additional scripts associated with Rapperbot malware were downloaded from a different server which further downloads MIPS script files to make persistence.

This shows threat actors utilized multiple servers for this campaign to compromise the ZyXEL devices.

Threat actors update their tactics and techniques frequently within a short time frame to maximize the compromised device.

As said earlier, one of the botnets employed by the threat actor is Dark—Iot which utilizes an openNIC server for DNS resolution and communication with the C2 server.

Devices with known vulnerabilities should be patched and updated as soon as possible to prevent attacks and compromises.

Once the victim system receives the attack command, it starts a DDoS attack on a specific IP address and port number. One example of this DDoS attack traffic is shown below.

IOCs

d618c817e6a93193a499126156a1f7e888008dacdb247a769fd69ce4c0c87b67
a6729c047d776294fa21956157eec0b50efa7447b8e2834b05be31080767006f
729f2fa4d037912a360cb7c4e2c37765da0c38725451600f0258109b672f615e
2c55674e938e7618f7c9273e3da61ce7aeab3dc5626b7b8b4e3fc7cc95d0436f
928d8ccd71edda5891068d703603ba0b70687f746c9da73afa6692b274ea757c
6137a30d8eb932d25664ced747424b15072e676b5d4d27d5b8f3b84f48344217
0c394849ce4f636cc79cc84389b66a0dbdaf14a61a6d87302e807f2153bc6c2b
2fe13ee992cf00778bcc92dc3732305114dca1700dedca7c29342216df236644
034cdcb42d1d7b921b4732230bbdcb4089107490a30b8cd7a62e67b657e33d26
3d69c780fefa0c3a34190989d43268a272004f0623d3e596bc0c92e1744832c9
79f69993110688372a5898d05f1141b7f44f3f5f55cd50b6a493c1d33af141c8
c68211116bbc43c2fe0aba8b598b88b218adc0d995311a4e7030de8acd48076e
51becb81d6bdfe79111974c05f2e4a20a8825a872a92df86cbc98517100b031a
42b4e116c5d2d3e9d4777c7eaa3c3835a126c02673583c2dfb1ae2bf0bf0db48
85d3d93910bfb8410a0e82810d05aa67a6702ce0cdfc38d1d01f2f9471d20150
12c65cfd227d393fd338223eb50140571760de04ef0a21fe3c4636e1bfaf4966
f82f5ec551f9ac3bb5a3b1ace5dd21c35239bd983fd9a36e0e7c07bfb48a3fdd
28fa9225db6d42084123989712313489e255376134f8e77f07b77c345a026304
312022da42ab6df882c44d984f9aceea7f08e217a5ca8ca985c533a1af399cee

Leave a Reply

Your email address will not be published. Required fields are marked *