Zyxel Vulnerability Exploited by DDoS Botnets on Linux Systems

Written by

Distributed Denial of Service (DDoS) botnets have been used to actively exploit a critical vulnerability found in Zyxel firewall models.

The flaw, identified by Fortinet security researchers as CVE-2023-28771, explicitly affects Linux platforms.

Exploiting the vulnerability, remote attackers gain unauthorized control over the vulnerable systems, enabling them to conduct DDoS attacks.

Discussing the vulnerability in a blog post published on Wednesday, July 20, Fortinet senior antivirus analyst Cara Lin said it stems from a command injection vulnerability, enabling attackers to execute arbitrary code by sending a specially crafted packet to the targeted Zyxel device. 

"The severity of this flaw, rated 9.8 on the CVSS scoring system, was reported by researchers from TRAPA Security," Lin wrote.

After Fortinet's research exposed the vulnerability, Zyxel promptly released a security advisory on April 25, 2023. Despite this, the Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in May, indicating active exploitation in the wild.

In response to the vulnerability's disclosure, Fortinet observed an uptick in malicious activities, particularly in May. Through the capture of exploit traffic, Fortinet was able to confirm the attacks have been observed in Central America, North America, East Asia, and South Asia.

In particular, Lin said Fortinet discovered Multiple DDoS botnets, including Dark.IoT, a variant based on Mirai, that have been exploiting the vulnerability to launch attacks. 

Read more on Mirai malware: New Mirai Variant Campaigns are Targeting IoT Devices

The antivirus analyst recommended organizations using Linux platforms and Zyxel firewalls to prioritize the application of available patches and updates to mitigate the risk. 

"To effectively address this threat, it is crucial to prioritize the application of patches and updates whenever possible. Taking proactive measures to ensure the security of these devices is highly recommended."

The new Fortinet advisory comes months after an April analysis by Jason Steer, CISO of Recorded Future, highlighted an increasing number of DDoS attacks in 2023 and how the trend is connected to ransomware gangs.

What’s hot on Infosecurity Magazine?