May 17, 2024

A critical vulnerability in Zyxel devices tracked as CVE-2023-28771 is having an increased exploitation by botnets.

Since the US CISA adds it to the KEV Catalog, this surge is seen. This vulnerability allows the unauthorized attacker to execute the arbitrary code by sending a specifically crafted packet to the targeted device.

Researchers note that multiple botnets, including Dark.IoT-a variants based on Mirai and botnets, utilize an openNIC server for DNS resolution and communication with the C2 server. can perform customizable DDOS attacks and were involved in targeting the vulnerability across the Americas and Asia.

Advertisements

Threat actors specifically target the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices.

They utilize curl or wget tools to download scripts to tailor MIPS architecture for further malicious actions.

Once the initial scripts are downloaded, they will rename themselves and execute zywall parameters to ensure the connectivity of ZyXEL vulnerability. Scripts related to RapperBot also get downloaded to make persistence.

Threat actors utilized multiple servers for this campaign to compromise the ZyXEL devices with sophistication.

Advertisements

Devices with known vulnerabilities should be patched and updated as soon as possible to prevent attacks and compromises.

Indicators of Compromise

  • d618c817e6a93193a499126156a1f7e888008dacdb247a769fd69ce4c0c87b67
  • a6729c047d776294fa21956157eec0b50efa7447b8e2834b05be31080767006f
  • 729f2fa4d037912a360cb7c4e2c37765da0c38725451600f0258109b672f615e
  • 2c55674e938e7618f7c9273e3da61ce7aeab3dc5626b7b8b4e3fc7cc95d0436f
  • 928d8ccd71edda5891068d703603ba0b70687f746c9da73afa6692b274ea757c
  • 6137a30d8eb932d25664ced747424b15072e676b5d4d27d5b8f3b84f48344217
  • 0c394849ce4f636cc79cc84389b66a0dbdaf14a61a6d87302e807f2153bc6c2b
  • 2fe13ee992cf00778bcc92dc3732305114dca1700dedca7c29342216df236644
  • 034cdcb42d1d7b921b4732230bbdcb4089107490a30b8cd7a62e67b657e33d26
  • 3d69c780fefa0c3a34190989d43268a272004f0623d3e596bc0c92e1744832c9
  • 79f69993110688372a5898d05f1141b7f44f3f5f55cd50b6a493c1d33af141c8
  • c68211116bbc43c2fe0aba8b598b88b218adc0d995311a4e7030de8acd48076e
  • 51becb81d6bdfe79111974c05f2e4a20a8825a872a92df86cbc98517100b031a
  • 42b4e116c5d2d3e9d4777c7eaa3c3835a126c02673583c2dfb1ae2bf0bf0db48
  • 85d3d93910bfb8410a0e82810d05aa67a6702ce0cdfc38d1d01f2f9471d20150
  • 12c65cfd227d393fd338223eb50140571760de04ef0a21fe3c4636e1bfaf4966
  • f82f5ec551f9ac3bb5a3b1ace5dd21c35239bd983fd9a36e0e7c07bfb48a3fdd
  • 28fa9225db6d42084123989712313489e255376134f8e77f07b77c345a026304
  • 312022da42ab6df882c44d984f9aceea7f08e217a5ca8ca985c533a1af399cee
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

CISA KEV Update – May 2024

May 17, 2024

Google fixes 2nd Zeroday in a Week – CVE-2024-4947

May 16, 2024

US Authorities took control of BreachForums

May 16, 2024

Microsoft Zeroday Bug CVE-2024-30051 exploited to install QakBot

May 15, 2024

Microsoft Patch Tuesday – May 2024

May 15, 2024

VMware fixes vulnerabilities exploited in Pwn2Own Vancouver

May 14, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading