Heads-up: Zyxel firewalls CVE-2023-28771 exploitation
20 views
Skip to first unread message
Barry Raveendran Greene
May 27, 2023, 7:51:45 PM5/27/23
to id...@googlegroups.com
Hi Team,
We’re going to post many of these updates to the ASEAN nogs to help organization leverage some of the Cyber Civil Defence tools you can use.
Business Impact: The Zyxel vulnerability was rapidly exploited. It would be used by threat-actors for a range of their criminal and cyber-war activities. DDoS is one of the many. Their criminal use will range from DDoS, to Phishing, to Malware C&C, Proxy infrastructure, and many other “creative criminal uses.” Given Zyxel’s market penetration, expect to find these units in un-managed places with wide deployment.
Check List for Organizations:
- Look for Zyxel firewalls on your network. Use Shadowserver’s network reports as a free tool to see what anyone (including bad guys) can see into your network. Remember, Shadowserver’s API access to your network data are free - as a public service to help you safeguard your network.
- If you have Zyxel - patch ASAP. You are in a race. Once the bad guys are in, it is harder to get them off the box.
- If your customers are running Zyxel, work with MYCERT to get the larger reports from Shadowserver. It would allow you to see how many of your customers will get invected and they consume bandwidth.
Several miscreant crews are known to get into CPEs like Zyxel, take them over in a way the owner has now clue, then used them in their Bot network.
Researcher Kevin Beaumont reported on Thursday that CVE-2023-28771 has been ‘mass exploited’ by a Mirai botnet variant, with many SMB appliances being impacted. (See https://cyberplace.social/@GossiTheDog/110428080243894672)
Barry
Begin forwarded message:
We’re going to post many of these updates to the ASEAN nogs to help organization leverage some of the Cyber Civil Defence tools you can use.
Business Impact: The Zyxel vulnerability was rapidly exploited. It would be used by threat-actors for a range of their criminal and cyber-war activities. DDoS is one of the many. Their criminal use will range from DDoS, to Phishing, to Malware C&C, Proxy infrastructure, and many other “creative criminal uses.” Given Zyxel’s market penetration, expect to find these units in un-managed places with wide deployment.
Check List for Organizations:
- Look for Zyxel firewalls on your network. Use Shadowserver’s network reports as a free tool to see what anyone (including bad guys) can see into your network. Remember, Shadowserver’s API access to your network data are free - as a public service to help you safeguard your network.
- If you have Zyxel - patch ASAP. You are in a race. Once the bad guys are in, it is harder to get them off the box.
- If your customers are running Zyxel, work with MYCERT to get the larger reports from Shadowserver. It would allow you to see how many of your customers will get invected and they consume bandwidth.
Several miscreant crews are known to get into CPEs like Zyxel, take them over in a way the owner has now clue, then used them in their Bot network.
Researcher Kevin Beaumont reported on Thursday that CVE-2023-28771 has been ‘mass exploited’ by a Mirai botnet variant, with many SMB appliances being impacted. (See https://cyberplace.social/@GossiTheDog/110428080243894672)
Barry
Begin forwarded message:
From: Piotr Kijewski <pi...@shadowserver.org>
Date: May 28, 2023 at 05:04:10 GMT+8
To: pub...@shadowserver.org
Subject: [Public Shadowserver] Heads-up: Zyxel firewalls CVE-2023-28771 exploitationDear All,
Zyxel firewalls CVE-2023-28771 (pre-auth OS remote command injection) is being actively exploited to build a Mirai-like botnet. Internet-wide sweeps seen by over 700 of our IKEv2 aware honeypot sensors, since May 26th. Exploit PoC is public, so expect an increase in attacks.
At this stage if you have a vulnerable device exposed, assume compromise. Zyxel advisory and patch info (2023-04-25):
https://zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls
Zyxel firewall device population (no vulnerability assessment) on our Dashboard: https://dashboard.shadowserver.org/statistics/iot-devices/tree/?day=2023-05-25&vendor=zyxel&type=firewall&geo=all&data_set=count&scale=log
We are also seeing a large increase in compromised Zyxel devices performing attacks: https://dashboard.shadowserver.org/statistics/honeypot/monitoring/vendor/?category=anomaly&statistic=unique_ips&d2=2023-05-27
Links with stats:
https://twitter.com/Shadowserver/status/1662560843463098372
https://infosec.exchange/@shadowserver/110442626213838177
https://www.linkedin.com/feed/update/urn:li:activity:7068328874316636160
https://staging.bsky.app/profile/shadowserver.bsky.social/post/3jwqgg443d22w
Hope this is useful.
kind regards,Piotr
Reply all
Reply to author
Forward
0 new messages