Headline
Zyxel Devices Hit by Active Exploits Targeting CVE-2023-28771 Vulnerability
Zyxel users beware: A critical remote code execution flaw (CVE-2023-28771) in Zyxel devices is under active exploitation by a Mirai-like botnet. GreyNoise observed a surge on June 16, targeting devices globally.
A serious security vulnerability, tracked as CVE-2023-28771, is affecting Zyxel networking devices. Security researchers at GreyNoise noticed a sudden sharp rise, and a concentrated effort by attackers to exploit this flaw on June 16th.
The vulnerability allows for remote code execution, which means attackers can run their own programs on vulnerable devices from a distance. This particular weakness is found in how Zyxel devices handle specific internet messages, called Internet Key Exchange (IKE) packets coming through the UDP port 500.
****The Sudden Surge and Its Reach****
While attacks targeting this Zyxel flaw had been minimal, June 16th brought a significant spike in activity. GreyNoise recorded 244 different internet addresses trying to exploit the issue within a single day.
Source: GreyNoise
These attacks are aimed at devices in various countries, with the following being the most targeted:
- India
- Spain
- Germany
- United States
- United Kingdom
Interestingly, a review of these 244 attacking addresses showed they had not been involved in any other suspicious network activity in the two weeks leading up to this sudden burst.
****Tracing the Source****
An investigation into the attacking internet addresses revealed they were all registered under Verizon Business infrastructure and appeared to originate from the United States. However, because the attacks use UDP port 500, which allows for spoofing (faking the sender’s address), the true source might be hidden, noted GreyNoise researchers in their blog post shared with Hackread.com.
Further analysis by GreyNoise, supported by checks from VirusTotal, found signs that these attacks might be linked to variants of the Mirai botnet, a type of malicious software that takes over devices.
In response to these active threats, security experts are urging immediate action. It is advised to block all 244 identified malicious IP addresses and to check if any internet-connected Zyxel devices have the necessary security patches for CVE-2023-28771.
Device owners should also watch for any unusual activity after an exploit attempt, as this could lead to further compromise or the device being added to a botnet. Finally, it’s recommended to limit any unnecessary exposure of IKE/UDP port 500 by applying network filters.
It’s important to note that Zyxel devices have faced security challenges in the past. For instance, Hackread.com reported in June 2024, about Zyxel NAS devices being targeted by a Mirai-like botnet exploiting a different recent vulnerability (CVE-2024-29973), highlighting a recurring pattern of issues for the company’s products.
“This was added to the CISA Known Exploited vulnerabilities list on May 31, 2023, requiring agencies to have it resolved before June 21 that same year. The activity observed appears to be the Mirai botnet activity,” said Martin Jartelius, CISO at cybersecurity company Outpost24.
“As the vulnerability has been extensively targeted before, for someone to fall victim now, they would have had to obtain a vulnerable device, deploy it without updates, and expose it to the internet, even though it’s in a known vulnerable state,” explained Martin.
“One would almost say that the chain of incompetence needed to be victimized at this point is borderline impressive, but of course, it can happen. This, however, is not the vulnerability we should all wake up and worry about today. In fact, if you were worried about it, you would have fixed it years ago.”
Related news
Russian threat actors have been possibly linked to what's been described as the "largest cyber attack against Danish critical infrastructure," in which 22 companies associated with the operation of the country's energy sector were targeted in May 2023. "22 simultaneous, successful cyberattacks against Danish critical infrastructure are not commonplace," Denmark's SektorCERT said [PDF]. "The
Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical flaw in Zyxel devices that came to light in April 2023 to gain remote control of vulnerable systems. "Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America,
By Waqas The DDoS attacks have been observed in various regions, including Central America, North America, East Asia, and South Asia. This is a post from HackRead.com Read the original post: Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks
This Metasploit module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive), VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The affected devices are vulnerable in a default configuration and command execution is with root privileges.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, are buffer overflow vulnerabilities that could enable an unauthenticated attacker to cause a
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting different firewall models that could enable an unauthenticated attacker
By Deeba Ahmed A variant of the Mirai botnet is targeting Zyxel Firewalls after exploiting a newly patched operating system command injection vulnerability. This is a post from HackRead.com Read the original post: Mirai Malware Hits Zyxel Devices After Command Injection Bug
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution. Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system. A brief description of the two issues is below - CVE-2023-33009 -
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw. "Improper error message handling in some firewall versions
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.