DDoS Botnets Leveraging Critical Zyxel Firewall Flaw
Fortinet Report Gives Insights
Distributed Denial of Service (DDoS) botnets have ramped up exploitation of a critical vulnerability discovered in Zyxel firewall models, ringing alarm bells across the cybersecurity landscape. Affecting primarily Linux platforms, the flaw allows remote attackers to seize unauthorized control of systems, enabling them to launch devastating DDoS attacks.
This worrisome discovery was identified by Fortinet security researchers as CVE-2023-28771. The vulnerability roots from a command injection flaw, allowing threat actors to execute arbitrary code by transmitting a specially crafted packet to the targeted Zyxel device, according to a blog post by Fortinet's senior antivirus analyst Cara Lin on July 19.
"The severity of this flaw, rated 9.8 on the CVSS scoring system, was reported by researchers from TRAPA Security," wrote Lin, accentuating the severity of the flaw.
Following Fortinet's research, Zyxel swiftly released a security advisory on April 25, 2023. However, the Cybersecurity and Infrastructure Security Agency (CISA) included the flaw in its Known Exploited Vulnerabilities (KEV) catalog in May, suggesting active exploitation in the wild.
In the wake of the vulnerability's disclosure, Fortinet recorded a significant increase in malicious activities, particularly in May. Exploit traffic analysis revealed attacks spanning across Central America, North America, East Asia, and South Asia.
Notably, Fortinet identified the participation of multiple DDoS botnets, including a variant based on Mirai known as Dark. IoT, exploiting the vulnerability to unleash attacks.
Addressing this critical threat, Lin urged organizations employing Linux platforms and Zyxel firewalls to prioritize patching and updating their systems. "To effectively address this threat, it is crucial to prioritize the application of patches and updates whenever possible. Taking proactive measures to ensure the security of these devices is highly recommended," Lin explained.
This advisory comes hot on the heels of an April analysis by Jason Steer, CISO of Recorded Future, highlighting a surge in DDoS attacks in 2023 and their alarming connections with ransomware gangs.