DDoS Botnets Hijacking Zyxel Devices to Launch Devastating Attacks
21.7.23 BotNet The Hacker News
Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical flaw in Zyxel devices that came to light in April 2023 to gain remote control of vulnerable systems.
"Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America, East Asia, and South Asia," Fortinet FortiGuard Labs researcher Cara Lin said.
The flaw, tracked as CVE-2023-28771 (CVSS score: 9.8), is a command injection bug affecting multiple firewall models that could potentially allow an unauthorized actor to execute arbitrary code by sending a specifically crafted packet to the targeted appliance.
Last month, the Shadowserver Foundation warned that the flaw was being "actively exploited to build a Mirai-like botnet" at least since May 26, 2023, an indication of how abuse of servers running unpatched software is on the rise.
The latest findings from Fortinet suggest that the shortcoming is being opportunistically leveraged by multiple actors to breach susceptible hosts and corral them into a botnet capable of launching DDoS attacks against other targets.
This comprises Mirai botnet variants such as Dark.IoT and another botnet that has been dubbed Katana by its author, which comes with capabilities to mount DDoS attacks using TCP and UDP protocols.
"It appears that this campaign utilized multiple servers to launch attacks and updated itself within a few days to maximize the compromise of Zyxel devices," Lin said.
The disclosure comes as Cloudflare reported an "alarming escalation in the sophistication of DDoS attacks" in the second quarter of 2023, with threat actors devising novel ways to evade detection by "adeptly imitating browser behavior" and keeping their attack rates-per-second relatively low.
Adding to the complexity is the use of DNS laundering attacks to conceal malicious traffic via reputable recursive DNS resolvers and virtual machine botnets to orchestrate hyper-volumetric DDoS attacks.
"In a DNS Laundering attack, the threat actor will query subdomains of a domain that is managed by the victim's DNS server," Cloudflare explained. "The prefix that defines the subdomain is randomized and is never used more than once or twice in such an attack."
"Due to the randomization element, recursive DNS servers will never have a cached response and will need to forward the query to the victim's authoritative DNS server. The authoritative DNS server is then bombarded by so many queries until it cannot serve legitimate queries or even crashes all together."
Another noteworthy factor contributing to the increase in DDoS offensives is the emergence of pro-Russian hacktivist groups such as KillNet, REvil, and Anonymous Sudan (aka Storm-1359) that have overwhelmingly focused on targets in the U.S. and Europe. There is no evidence to connect REvil to the widely known ransomware group.
KillNet's "regular creation and absorption of new groups is at least partially an attempt to continue to garner attention from Western media and to enhance the influence component of its operations," Mandiant said in a new analysis, adding the group's targeting has "consistently aligned with established and emerging Russian geopolitical priorities."
"KillNet's structure, leadership, and capabilities have undergone several observable shifts over the course of the last 18 months, progressing toward a model that includes new, higher profile affiliate groups intended to garner attention for their individual brands in addition to the broader KillNet brand," it further added.