Multiple distributed denial-of-service (DDoS) botnets have been spotted exploiting a severe vulnerability in Zyxel devices discovered in April 2023 to remotely hijack susceptible systems.
“The exploit traffic was captured, the attacker’s IP address was traced, and it was ascertained that the attacks were taking place across several regions, including Central America, North America, East Asia, and South Asia,” stated Cara Lin, a researcher at Fortinet FortiGuard Labs.
The vulnerability, designated as CVE-2023-28771 (CVSS score: 9.8), is a command injection bug impacting numerous firewall models, potentially allowing an unauthorized party to execute arbitrary code by transmitting a specially designed packet to the targeted device.
In the previous month, the Shadowserver Foundation cautioned that the flaw was being “actively used to construct a Mirai-like botnet” at least since May 26, 2023, indicating a rising trend of exploiting servers running outdated software.
New insights from Fortinet imply that the weakness is being exploited by various entities to infiltrate vulnerable hosts and herd them into a botnet capable of instigating DDoS attacks on other targets.
This includes Mirai botnet iterations like Dark.IoT and another botnet named Katana by its creator, equipped with the ability to initiate DDoS attacks utilizing TCP and UDP protocols.
“This campaign appears to have deployed multiple servers to execute attacks and updated itself in a few days to maximize the breach of Zyxel devices,” Lin added.
This revelation coincides with Cloudflare’s report of a “disturbing rise in the sophistication of DDoS attacks” in the second quarter of 2023, with cybercriminals devising new methods to circumvent detection by “skillfully mimicking browser behavior” and maintaining their attack rates-per-second relatively low.
DDoS Botnets Adding to the intricacy is the employment of DNS laundering attacks to mask malicious traffic through trusted recursive DNS resolvers and virtual machine botnets to conduct high-volume DDoS attacks.
“In a DNS Laundering assault, the cyber criminal will query subdomains of a domain managed by the victim’s DNS server,” Cloudflare elucidated. “The prefix defining the subdomain is randomized and never used more than once or twice during such an attack.”
“Due to the element of randomization, recursive DNS servers will never have a cached response and will need to route the query to the victim’s authoritative DNS server. The authoritative DNS server is then overwhelmed by so many queries that it cannot cater to legitimate queries or even crashes altogether.”
Another notable aspect contributing to the surge in DDoS onslaughts is the rise of pro-Russian hacktivist groups such as KillNet, REvil, and Anonymous Sudan (also known as Storm-1359) that have majorly focused on targets in the U.S. and Europe. There is no evidence linking REvil to the renowned ransomware group.
“KillNet’s routine creation and integration of new groups is at least partially a strategy to maintain visibility in Western media and boost the influence component of its operations,” stated Mandiant in a recent analysis, adding that the group’s targeting has “consistently resonated with established and emerging Russian geopolitical priorities.”
“KillNet’s structure, leadership, and capabilities have experienced several noticeable changes over the last 18 months, evolving toward a model that includes new, higher-profile affiliate groups aimed at drawing attention to their individual brands in addition to the broader KillNet brand,” it further clarified.