Zyxel Device Exploitation: DDoS Botnets Unleashing Devastating Attacks:-

4 min readJul 23, 2023

Introduction

DDoS botnets are exploiting a critical vulnerability in Zyxel devices to gain remote control and launch devastating attacks. The flaw was initially reported by researchers from TRAPA Security, and Zyxel issued a security advisory on April 25, 2023. However, organizations that have yet to patch the vulnerability have emerged as public nuisance. In this blog, we will discuss the vulnerability, how it is being exploited, and what organizations can do to protect themselves.

The Vulnerability

The vulnerability, tracked as CVE-2023–28771, affects Zyxel devices running firmware version ZLD V4.60, and allows attackers to bypass authentication and gain remote control of the device. This means that attackers can use the device to launch DDoS attacks, steal sensitive information, or install malware on other devices on the network.

Exploitation

Multiple DDoS botnets have been observed targeting Zyxel devices to exploit the vulnerability. The botnets, including Dark.IoT and custom botnets, are using the vulnerability to launch devastating DDoS attacks. Researchers warn that the attacks are likely to continue until organizations patch the vulnerability.

Impact

The impact of a DDoS attack can be devastating for organizations. DDoS attacks can cause websites and online services to become unavailable, resulting in lost revenue and reputational damage. In some cases, DDoS attacks are used as a smokescreen for other attacks, such as data theft or malware installation.

Protection

Organizations that use Zyxel devices should ensure that they have patched the vulnerability as soon as possible. Zyxel issued a security advisory on April 25, 2023, which includes instructions on how to patch the vulnerability. In addition, organizations should consider implementing the following measures to protect themselves from DDoS attacks:

DDoS Protection Services: Organizations can use DDoS protection services to mitigate the impact of DDoS attacks. These services use a combination of network filtering and traffic diversion to ensure that legitimate traffic can still reach the organization’s website or online service.
Firewalls: Firewalls can be used to block traffic from known malicious IP addresses and to limit the impact of DDoS attacks.
Intrusion Detection and Prevention Systems (IDPS): IDPS can be used to detect and prevent attacks on the network. These systems can detect and block traffic from known malicious IP addresses, as well as traffic that matches known attack patterns.

Organizations that have yet to patch a 9.8-severity vulnerability in network devices made by Zyxel have emerged as public nuisance №1 as a sizable number of them continue to get hacked by DDoS botnets

Basic Python Script for Blocking Known Malicious IPs:

import os
import subprocess
import requests
# Replace this list with known malicious IP addresses you want to block
MALICIOUS_IPS = [‘1.2.3.4’, ‘5.6.7.8’, ‘9.10.11.12’]
def block_ip_with_firewall(ip):
# Replace these commands with appropriate commands for your operating system and firewall setup
# This example uses iptables on Linux. You might need to adjust for Windows or other systems.
subprocess.run([‘iptables’, ‘-A’, ‘INPUT’, ‘-s’, ip, ‘-j’, ‘DROP’])
print(f”Blocked IP: {ip}”)
def main():
# Check for Zyxel vulnerability (replace this URL with the actual advisory URL)
advisory_url = “https://example.com/security_advisory"
response = requests.get(advisory_url)

if response.status_code == 200:
print(“Zyxel vulnerability is known. Please apply the patch as soon as possible.”)
else:
print(“Zyxel vulnerability is not known or the advisory URL is invalid. “
“Please check for updates from Zyxel directly.”)
# Blocking known malicious IPs
print(“Blocking known malicious IPs…”)
for ip in MALICIOUS_IPS:
block_ip_with_firewall(ip)
if __name__ == “__main__”:
main()

Conclusion

DDoS botnets are exploiting a critical vulnerability in Zyxel devices to launch devastating attacks. Organizations that use Zyxel devices should ensure that they have patched the vulnerability as soon as possible, and should consider implementing additional measures to protect themselves from DDoS attacks. DDoS attacks can have a significant impact on an organization’s revenue and reputation, and can be used as a smokescreen for other attacks. By taking proactive measures to protect themselves, organizations can reduce the risk of falling victim to a DDoS attack.