DDoS Botnets Hijack Zyxel Devices to Launch Devastating Attacks
Several distributed denial-of-service (DDoS) botnets have been observed exploiting critical flaws in Zyxel devices that were revealed in April 2023 to gain remote control of vulnerable systems.
“Through exploit traffic capture, the attacker’s IP address was identified, and it was determined that the attack occurred in multiple regions, including Central America, North America, East Asia, and South Asia,” Fortinet FortiGuard Labs researcher Cara Lin said.
The flaw, tracked as CVE-2023-28771 (CVSS score: 9.8), is a command injection bug affecting some firewall models that could potentially allow an unauthorized actor to execute arbitrary code by sending specially crafted packets to a targeted device.
Last month, the Shadowserver Foundation warned that the flaw was “actively exploited to build a Mirai-like botnet” since at least May 26, 2023, showing how the abuse of servers running unpatched software is on the rise.
Recent findings from Fortinet show that these flaws are exploited opportunistically by many actors to penetrate vulnerable hosts and confine them into botnets capable of launching DDoS attacks against other targets.
It consists of The Mirai botnet variants such as Dark.IoT and another botnet dubbed Katana by its makers, which comes with the ability to mount DDoS attacks using TCP and UDP protocols.
“It appears that this campaign uses multiple servers to launch attacks and updates itself within a few days to maximize infiltration of Zyxel devices,” said Lin.
Revelation comes as Cloudflare reported an “alarming increase in DDoS attack sophistication” in the second quarter of 2023, with threat actors devising new ways to evade detection by “smartly mimicking browser behavior” and keeping their attack rate per second relatively low.
Adding to the complexity is the use of DNS laundering attacks to hide malicious traffic via leading recursive DNS resolvers and virtual machine botnets to orchestrate hyper-volumetric DDoS attacks.
“In a DNS Laundering attack, the threat actor will query the subdomain of the domain managed by the victim’s DNS server,” explained Cloudflare. “The prefix that defines the subdomain is random and is never used more than once or twice in such an attack.”
“Due to the randomization element, a recursive DNS server can never have cached responses and needs to forward queries to the victim’s authoritative DNS server. The authoritative DNS server is then bombarded by so many queries that it is unable to serve valid queries or even crashes simultaneously.”
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
Another important factor contributing to the increase in DDoS attacks is the emergence of pro-Russian hacker groups such as KillNet, REvil, and Anonymous Sudan (aka Storm-1359) which focus heavily on targets in the US and Europe. There is no evidence to link REvil to any known ransomware groups.
“The regular creation and uptake of new KillNet groups is at least in part an attempt to continue to attract attention from the Western media and to increase the influence component of its operations,” Mandiant said. said in a new analysis, adding the group’s targeting “consistently aligns with Russia’s established and emerging geopolitical priorities.”
“KillNet’s structure, leadership and capabilities have undergone several observable changes over the last 18 months, evolving towards a model that includes new, higher profile affiliate groups intended to draw attention to their respective brands in addition to the broader KillNet brand,” he further added.
