Outbreak AlertZyxel Multiple Firewall Vulnerabilities
Actively exploited and causing denial of service
Multiple critical vulnerabilities affecting various Zyxel devices have been seen exploited in the wild. The attackers are observed deploying Mirai like botnet inducing denial of service conditions. One of the vulnerability, CVE-2023-28771 which allows unauthenticated attackers to execute OS commands remotely has a publicly available proof of concept (PoC). Learn More »
Common Vulnerabilities and Exposures
Background
Zyxel Networks is a communications equipment company with over 100 million devices globally and serving 1 million customers according to their website. The recent discovered vulnerabilities has been seen exploited in the wild and reportedly exploited by Mirai based botnet variant to cause DDoS. As reported by FortiGuard Outbreak Alerts on December 2022, the Zyxel USG FLEX was previously targetted by the Zerobot malware due to its OS command injection vulnerability (CVE-2022-30525). According to a Shodan search there are 40,000+ Zyxel devices exposed to internet and the number of vulnerable devices could be much more as the default setting of some of the devices are not internet exposed.
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
April 25, 2023: Initial release of advisory from vendor on CVE-2023-28771, CVE-2023-33009, CVE-2023-33010
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls
May 31, 2023: CISA added CVE-2023-28771 to its Known Exploited Vulnerability catalog (KEV).
June 5, 2023: CISA added CVE-2023-33009 and CVE-2023-33010 to its Known Exploited Vulnerability catalog (KEV).
June 5, 2023: Mirai based botnet remain active, lately affecting multiple IoT devices. Go to Addtional resources to review the Outbreaks and vulnerabilties related/affected by Mirai based Botnet.
June 5, 2023: FortiGuard added Threat Signal on Zyxel Multiple Firewall Vulnerabilities
https://www.fortiguard.com/threat-signal-report/5179/
FortiGuard Labs has released an IPS signature to detect any attack attempts to exploit CVE-2023-28771 and further investigating protections for CVE-2023-33009 and CVE-2023-33010. Antivirus signatures to detect and block known malware related to exploitation of vulnerable Zyxel devices.
It is strongly recommended to update ATP, USG Flex, VPN, and ZyWALL/USG firewalls to prevent exploitation of recent vulnerabilities as per vendor advisory to fully mitigate the risk and look for DoS "Denial of Service" like symptoms that could arise if compromised.
https://www.zyxel.com/global/en/support/security-advisories/zyxels-guidance-for-the-recent-attacks-on-the-zywall-devices
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
AV
-
AV (Pre-filter)
-
IPS
-
IOC
-
Outbreak Detection
-
Assisted Response Services
-
Automated Response
-
InfoSec Services
-
Attack Surface Monitoring (Inside & Outside)
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Indicators of compromise
References
Sources of information in support and relation to this Outbreak and vendor.