Zyxel Multiple Firewall Vulnerabilities

Released: Jun 06, 2023

Updated: Jul 28, 2023


High Severity

Attack, Vulnerability Type


Actively exploited and causing denial of service

Multiple critical vulnerabilities affecting various Zyxel devices have been seen exploited in the wild. The attackers are observed deploying Mirai like botnet inducing denial of service conditions. One of the vulnerability, CVE-2023-28771 which allows unauthenticated attackers to execute OS commands remotely has a publicly available proof of concept (PoC). Learn More »

Common Vulnerabilities and Exposures

CVE-2023-28771
CVE-2023-33009
CVE-2023-33010

Background

Zyxel Networks is a communications equipment company with over 100 million devices globally and serving 1 million customers according to their website. The recent discovered vulnerabilities has been seen exploited in the wild and reportedly exploited by Mirai based botnet variant to cause DDoS. As reported by FortiGuard Outbreak Alerts on December 2022, the Zyxel USG FLEX was previously targetted by the Zerobot malware due to its OS command injection vulnerability (CVE-2022-30525). According to a Shodan search there are 40,000+ Zyxel devices exposed to internet and the number of vulnerable devices could be much more as the default setting of some of the devices are not internet exposed.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


April 25, 2023: Initial release of advisory from vendor on CVE-2023-28771, CVE-2023-33009, CVE-2023-33010
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls

May 31, 2023: CISA added CVE-2023-28771 to its Known Exploited Vulnerability catalog (KEV).

June 5, 2023: CISA added CVE-2023-33009 and CVE-2023-33010 to its Known Exploited Vulnerability catalog (KEV).


June 5, 2023: Mirai based botnet remain active, lately affecting multiple IoT devices. Go to Addtional resources to review the Outbreaks and vulnerabilties related/affected by Mirai based Botnet.

June 5, 2023: FortiGuard added Threat Signal on Zyxel Multiple Firewall Vulnerabilities
https://www.fortiguard.com/threat-signal-report/5179/

FortiGuard Labs has released an IPS signature to detect any attack attempts to exploit CVE-2023-28771 and further investigating protections for CVE-2023-33009 and CVE-2023-33010. Antivirus signatures to detect and block known malware related to exploitation of vulnerable Zyxel devices.

It is strongly recommended to update ATP, USG Flex, VPN, and ZyWALL/USG firewalls to prevent exploitation of recent vulnerabilities as per vendor advisory to fully mitigate the risk and look for DoS "Denial of Service" like symptoms that could arise if compromised.
https://www.zyxel.com/global/en/support/security-advisories/zyxels-guidance-for-the-recent-attacks-on-the-zywall-devices


FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • AV

  • AV (Pre-filter)

  • IPS

DETECT
  • IOC

  • Outbreak Detection

RESPOND
  • Assisted Response Services

  • Automated Response

RECOVER
  • InfoSec Services

IDENTIFY
  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
http://13.67.95.191/armv7l url Active
babaroga.lib domain Inactive
217.57.80.18 ip Active
70.62.153.174 ip Active
blacknurse.lib domain Active
dragon.lib domain Active
tempest.lib domain Active
92.118.39.16 ip Active
171.22.136.15 ip Active
109.207.200.42 ip Active
109.207.200.43 ip Active
109.207.200.44 ip Active
171.22.136.18 ip Active
109.205.213.30 ip Active
http://92.118.39.16/lolmips url Active
193.32.162.190 ip Active
45.128.232.143 ip Active
dbovmix.xyz domain Inactive
205.147.101.170 ip Active
shinji.app domain Inactive
91.235.234.81 ip Active
176.124.32.84 ip Active
312022da42ab6df882c44d984f9aceea7f08e217a5ca8ca... file Active
42b4e116c5d2d3e9d4777c7eaa3c3835a126c02673583c2... file Active
034cdcb42d1d7b921b4732230bbdcb4089107490a30b8cd... file Active
0c394849ce4f636cc79cc84389b66a0dbdaf14a61a6d873... file Active
12c65cfd227d393fd338223eb50140571760de04ef0a21f... file Active
185.180.199.41 ip Active
28fa9225db6d42084123989712313489e255376134f8e77... file Active
2c55674e938e7618f7c9273e3da61ce7aeab3dc5626b7b8... file Active
2fe13ee992cf00778bcc92dc3732305114dca1700dedca7... file Active
3d69c780fefa0c3a34190989d43268a272004f0623d3e59... file Active
51becb81d6bdfe79111974c05f2e4a20a8825a872a92df8... file Active
6137a30d8eb932d25664ced747424b15072e676b5d4d27d... file Active
729f2fa4d037912a360cb7c4e2c37765da0c38725451600... file Active
79f69993110688372a5898d05f1141b7f44f3f5f55cd50b... file Active
85d3d93910bfb8410a0e82810d05aa67a6702ce0cdfc38d... file Active
928d8ccd71edda5891068d703603ba0b70687f746c9da73... file Active
a6729c047d776294fa21956157eec0b50efa7447b8e2834... file Active
c68211116bbc43c2fe0aba8b598b88b218adc0d995311a4... file Active
d618c817e6a93193a499126156a1f7e888008dacdb247a7... file Active
dfubdf.click domain Inactive
djk38zbdhqpdlshfb.shinji.app domain Inactive
dvrcontroller.libre domain Active
f82f5ec551f9ac3bb5a3b1ace5dd21c35239bd983fd9a36... file Active
http://171.22.136.18/mips url Active
http://171.22.136.18/mips_32 url Active
http://171.22.136.18/mips64 url Active
http://171.22.136.18/mipsel url Active
http://171.22.136.18/mipsel_32 url Active
http://185.180.199.41/a url Active
http://185.180.199.41/b url Active
http://45.125.66.80/b url Active
juice-wrld.lat domain Active
keipyeb.africa domain Inactive
lil-peep.online domain Inactive
lil-tracy.store domain Inactive
new.juice-wrld.lat domain Active
new.lil-peep.online domain Active
new.lil-tracy.store domain Active
new.post-malone.xyz domain Inactive
post-malone.xyz domain Active
routercontroller.geek domain Active
tvoewev.link domain Inactive
109.207.200.47 ip Active
45.125.66.80 ip Active
79.137.248.162 ip Active
hoz.1337.cx domain Inactive
https://t.me/shinjiapp url Active
147.182.243.49 ip Active
147.182.243.49:53 ip Active
45.207.56.92 ip Active
45.207.56.92:80 ip Active
85.192.41.69 ip Active
85.192.41.69:3177 ip Active
185.44.81.147 ip Active
145.239.54.169 ip Active
185.180.223.48 ip Active
45.89.106.147 ip Active
46.8.198.196 ip Active
91.235.234.251 ip Active
joshan.pro domain Active
www.joshan.pro domain Inactive
193.34.212.225 ip Active
153.190.61.200 ip Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0