Several distributed denial of service (DDoS) botnets have been observed exploiting critical flaws in Zyxel devices that were revealed in April 2023 to remotely control vulnerable systems.
Fortinet FortiGuard Labs researcher Cara Lin said, “Exploit traffic captures have identified the IP addresses of the attackers, with attacks occurring in multiple regions, including Central America, North America, East Asia, and South Asia. It turned out,” he said. .
The flaw, tracked as CVE-2023-28771 (CVSS score: 9.8), is a command injection bug that affects multiple firewall models, allowing malicious attackers to target appliances with specially crafted packets. It may be possible to execute arbitrary code by sending to
The Shadowserver Foundation warned last month that the flaw has been “actively exploited to build Mirai-like botnets” since at least May 26, 2023, to run unpatched software. Shows how server abuse is increasing.
Fortinet’s latest findings show that this shortcoming has been opportunistically exploited by multiple attackers, compromising susceptible hosts and corralling them into botnets that can launch DDoS attacks against other targets. suggests that there are
It consists of Mirai botnet variants such as Dark.IoT, and another botnet named Katana by its creators, with the ability to launch DDoS attacks using TCP and UDP protocols. I’m here.
“The campaign appears to have launched attacks utilizing multiple servers and updated itself within days to maximize compromise of Zyxel devices,” Lin said.
The disclosure comes after Cloudflare reported a “worrisome escalation in the sophistication of DDoS attacks” in Q2 2023, in which threat actors “adeptly mimicked browser behavior.” has devised a new method to evade detection by maintaining a relative rate of attack per second. low.
Adding to the complexity is the use of DNS laundering attacks to hide malicious traffic through popular recursive DNS resolvers and virtual machine botnets to orchestrate massive DDoS attacks.
“In a DNS laundering attack, the attacker queries subdomains of domains controlled by the victim’s DNS servers,” Cloudflare explained. “The prefix that defines the subdomain is randomized, and he will not be used more than once or twice in such attacks.”
“Due to the randomization factor, the recursive DNS server has no cached responses and must forward queries to the victim’s authoritative DNS server. You get bombarded with so many queries until it crashes.” All together. “
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
Another notable factor contributing to the increase in DDoS attacks is the emergence of pro-Russian hacktivist groups such as KillNet, REvil, and Anonymous Sudan (aka Storm-1359), which target the United States and Europe. overwhelmingly focused. There is no evidence linking REvil with any known ransomware group.
In a new analysis, Mandiant said Kilnett’s “regular establishment and absorption of new groups is at least in part an attempt to keep it in the spotlight of the Western media and strengthen the influence factor of its operations.” He added that the group’s targets were “consistently consistent”. Established and emerging Russian geopolitical priorities. “
“KillNet’s structure, leadership, and capabilities have undergone several tangible changes over the past 18 months, and we continue to focus on individual brands in addition to the broader KillNet brand. We are progressing towards a model that includes new and high-profile related groups as intended,” he added.
