DDoS Protection , Security Operations

Mass Exploitation of Zyxel Network Appliances Underway

Mirai Botnet Targets Now-Patched Zyxel Flaw
Mass Exploitation of Zyxel Network Appliances Underway
Photo: Zyxel

Versions of the Mirai botnet are targeting an operating system command injection vulnerability present in numerous Zyxel network devices. Zyxel patched the vulnerability in April but it's not clear how many users have applied the fix. Security experts warn the flaw appears to be exploited at a massive scale, meaning users should patch the vulnerability as quickly as possible.

See Also: How to Evaluate Your DDoS Attack Protection: A No-Nonsense Guide to Reliability

Multiple anti-malware firms are tracking the attacks, as detailed by Google's VirusTotal malware-tracking site. The Zyxel-targeting Mirai malware is being spread as a Linux and Unix executable and linkable format - aka .elf - file.

"There are some 42,000 instances of Zyxel web interfaces exposed to the public internet," security firm Rapid 7 reported. "This does not, however, capture vulnerable VPN implementations, which means real exposure is likely much higher."

The Zyxel-targeting Mirai code is a legacy of three Minecraft players in 2016 who designed a botnet capable of infecting a large number of internet of things devices, thanks in part to many vendors using well-documented default usernames and passwords that users often didn't, or couldn't, change.

The original Mirai coders pleaded guilty to federal charges in 2017. After an unknown person posted Mirai code online, different groups of attackers have continued to adapt it for fresh campaigns.

Lately that includes targeting networking devices built by Taiwan's Zyxel, after the firm issued a patch in April to fix a firmware vulnerability, designated as CVE-2023-28771, in multiple devices.

The vendor reported that "improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device."

"The vulnerable component is the Internet Key Exchange - IKE - packet decoder, which forms part of the IPSec VPN service offered by the device," reported Rapid7.

The flaw can be exploited in any product running vulnerable firmware, regardless of whether users have configured the VPN. "An affected device is vulnerable in a default state," Rapid7 said. "An attacker can send a specially crafted UDP packet to port 500 in the WAN interface and achieve unauthenticated command execution as the root user."

Using updated Mirai code to target the flaw, numerous Zyxel "SMB VPN boxes are owned" now by attackers, said British cybersecurity researcher Kevin Beaumont. He classified the flaw as being "super exploitable" because it can be used to target a service that, by design, is publicly accessible and can be accessed without having to first authenticate.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.