9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.899 High
EPSS
Percentile
98.3%
Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical flaw in Zyxel devices that came to light in April 2023 to gain remote control of vulnerable systems.
βThrough the capture of exploit traffic, the attackerβs IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America, East Asia, and South Asia,β Fortinet FortiGuard Labs researcher Cara Lin said.
The flaw, tracked as CVE-2023-28771 (CVSS score: 9.8), is a command injection bug affecting multiple firewall models that could potentially allow an unauthorized actor to execute arbitrary code by sending a specifically crafted packet to the targeted appliance.
Last month, the Shadowserver Foundation warned that the flaw was being βactively exploited to build a Mirai-like botnetβ at least since May 26, 2023, an indication of how abuse of servers running unpatched software is on the rise.
The latest findings from Fortinet suggest that the shortcoming is being opportunistically leveraged by multiple actors to breach susceptible hosts and corral them into a botnet capable of launching DDoS attacks against other targets.
This comprises Mirai botnet variants such as Dark.IoT and another botnet that has been dubbed Katana by its author, which comes with capabilities to mount DDoS attacks using TCP and UDP protocols.
βIt appears that this campaign utilized multiple servers to launch attacks and updated itself within a few days to maximize the compromise of Zyxel devices,β Lin said.
The disclosure comes as Cloudflare reported an βalarming escalation in the sophistication of DDoS attacksβ in the second quarter of 2023, with threat actors devising novel ways to evade detection by βadeptly imitating browser behaviorβ and keeping their attack rates-per-second relatively low.
Adding to the complexity is the use of DNS laundering attacks to conceal malicious traffic via reputable recursive DNS resolvers and virtual machine botnets to orchestrate hyper-volumetric DDoS attacks.
βIn a DNS Laundering attack, the threat actor will query subdomains of a domain that is managed by the victimβs DNS server,β Cloudflare explained. βThe prefix that defines the subdomain is randomized and is never used more than once or twice in such an attack.β
βDue to the randomization element, recursive DNS servers will never have a cached response and will need to forward the query to the victimβs authoritative DNS server. The authoritative DNS server is then bombarded by so many queries until it cannot serve legitimate queries or even crashes all together.β
UPCOMING WEBINAR
[Shield Against Insider Threats: Master SaaS Security Posture Management
](<https://thn.news/I26t1VFD>)
Worried about insider threats? Weβve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
Another noteworthy factor contributing to the increase in DDoS offensives is the emergence of pro-Russian hacktivist groups such as KillNet, REvil, and Anonymous Sudan (aka Storm-1359) that have overwhelmingly focused on targets in the U.S. and Europe. There is no evidence to connect REvil to the widely known ransomware group.
KillNetβs βregular creation and absorption of new groups is at least partially an attempt to continue to garner attention from Western media and to enhance the influence component of its operations,β Mandiant said in a new analysis, adding the groupβs targeting has βconsistently aligned with established and emerging Russian geopolitical priorities.β
βKillNetβs structure, leadership, and capabilities have undergone several observable shifts over the course of the last 18 months, progressing toward a model that includes new, higher profile affiliate groups intended to garner attention for their individual brands in addition to the broader KillNet brand,β it further added.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.899 High
EPSS
Percentile
98.3%