Mirai-like botnet targets Zyxel NAS devices in Europe to launch DDoS attacks

Zyxel NAS devices are under attack! Mirai-like botnet exploits recent security flaw (CVE-2024-29973). Patch now to prevent takeover! Learn how to secure your NAS from potential takeover and DDoS attacks.

A new botnet has been discovered, eerily similar to the notorious Mirai botnet, targeting two “retired” Zyxel NAS devices across Europe.

Outpost24’s vulnerability research arm reported three critical vulnerabilities in the NAS endpoints of Taiwanese networking device manufacturer Zyxel in March 2024.

Now, Censys researchers report that a Mirai-like botnet is targeting these vulnerable endpoints, potentially allowing operators to gain root privileges to execute malicious code, steal sensitive data, and install malware.

These “critical” vulnerabilities are tracked as CVE-2024-29973 (Python Code Injection Vulnerability), CVE-2024-29972 (NsaRescueAngel Backdoor Account), and CVE-2024-29974 (Permanent Remote Code Execution Vulnerability). and all have a CVSS score of 9.8.

This is especially true for the outdated Zyxel NAS326 (versions before V5.21(AAZF.16)C0) and NAS542 (versions before V5.21(ABAG.13)C0) NAS models. These models have reached the end of their life cycle, but the Taiwanese company decided to repair them for the sake of extended warranty for some organizations.

The Shadowserver Foundation Security Threat Monitor reports that threat actors are scanning CVE-2024-29973 to connect endpoints into a botnet. IBM X-Force discovered this remote code injection vulnerability last year after Zyxel patched CVE-2023-27992.

CVE-2024-29972 and CVE-2024-29973 are command injection vulnerabilities exploited via crafted unauthenticated HTTP POST requests, while CVE-2024-29974 allows attackers to execute arbitrary code via crafted configuration files. A proof of concept is available here.

Once breached, these devices become part of a botnet, potentially used to launch DDoS attacks on critical infrastructure or companies. Europe is particularly vulnerable, with 1,194 Zyxel devices vulnerable to the attack, including 197 hosts in Italy, 166 in Russia, 149 in Hungary and 144 in Germany.

Outpost24 security researcher Timothy Hjort explained that a security flaw occurred during the patching of CVE-2023-27992, where a new endpoint was added to patch an existing one, introducing “the same bugs as its predecessors.”

For your information, the Mirai botnet is a large network of hijacked devices infected with malware that allows attackers to control them remotely.

Cybercriminals often target Zyxel, D-Link and QNAP NAS devices due to their importance to organizations and frequent misconfigurations. In April, a high-severity security vulnerability disclosed by netsecfish was discovered affecting thousands of D-Link NAS devices, allowing malicious code execution, data theft and DoS attacks.

To stay safe, identify the model and version of your Zyxel NAS, download and install the latest security patch if your device is vulnerable, and consider disabling remote access. More information can be found on the Zyxel website.

RELATED TOPICS

1. Mirai Botnet Exploits Azure OMIGOD Vulnerabilities
2. Dark.IoT and custom botnets exploit Zyxel vulnerability in DDoS attacks
3. Mirai malware attacks Zyxel devices after command injection bug
4. Mirai botnet returns with MooBot variant, attacks D-Link devices
5. Tiny Mantis Botnet launches more powerful DDoS attacks than Mirai