Ddos 
A sudden and coordinated wave of exploit attempts targeting a critical vulnerability in Zyxel firewalls has been detected. The attack centers around CVE-2023-28771, a high-severity remote code execution vulnerability (CVSS 9.8) affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500.
“On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation,” the company reported.
CVE-2023-28771 allows remote attackers to inject system commands without authentication by sending specially crafted IKE packets to vulnerable Zyxel devices. If successful, attackers gain full control over the targeted firewall—effectively turning it into a foothold for further attacks or botnet enlistment.
Affected Zyxel product lines include:
- ATP (Advanced Threat Protection) – ZLD V4.60 to V5.35
- USG FLEX – ZLD V4.60 to V5.35
- VPN series – ZLD V4.60 to V5.35
- ZyWALL/USG – ZLD V4.60 to V4.73
Patches were released by Zyxel on April 25, 2023, but unpatched devices remain vulnerable.
GreyNoise’s threat intelligence noted that: “In the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771.”
This suggests a deliberate and well-timed attack strategy, likely automated and synchronized.
Notably:
- All 244 IPs involved are registered to Verizon Business infrastructure and geolocated to the United States.
- However, due to the use of UDP port 500, IP spoofing is possible, casting doubt on the apparent source.
GreyNoise identified patterns consistent with Mirai botnet variants, as also corroborated by VirusTotal analysis of the payloads. This aligns with previous cases where botnets preyed on edge devices through unpatched IoT and networking gear.
“Deeper analysis by GreyNoise identified indicators consistent with Mirai botnet variants,” the report confirms.
The exploitation traffic was not limited to a single region. The top targeted countries include:
- United States
- United Kingdom
- Spain
- Germany
- India
These regions are home to many small-to-medium businesses and government agencies, often relying on Zyxel for perimeter security.
GreyNoise strongly recommend the following defensive actions:
- Update immediately: Ensure all affected Zyxel devices are patched with the latest firmware.
- Block the 244 IPs: While spoofing is possible, GreyNoise has flagged these IPs as malicious and advises proactive blocking.
- Limit UDP port 500 exposure: Filter unnecessary inbound traffic where possible.
- Monitor for anomalies: Check for post-exploitation indicators such as unusual process behavior, traffic patterns, or enrollment in botnets.
Related Posts:
- Zyxel Firewall Alert: Patch Now to Close the CVE-2023-28771 Vulnerability
- New malware uses specially crafted UDP protocol for C&C Communications
- Zyxel Devices Targeted by Malicious Actors: Urgent Firmware Update Required
- North Korean Cyberattacks Persist: Developers Targeted via npm
- CVE-2023-33009, CVE-2023-33010: Critical Zyxel Firewall Vulnerabilities
Donate