A botnet, strikingly similar to the dreaded Mirai, is targeting expired Zyxel NAS instances, new research shows.
A report from the Shadowserver Foundation, a security organization that monitors cyber threats, says that threat actors have recently started scanning for one of three flaws – CVE-2024-29973 – which is a command injection vulnerability.
The goal is apparently to assimilate the endpoints into a botnet.
Botnets
In March 2024, cybersecurity researchers Outpost24 discovered three vulnerabilities in Zyxel’s network-attached storage endpoints: CVE-2024-29973, CVE-2024-29972, and CVE-2024-29974. All three have a severity rating of 9.8 (critical) and were determined to impact NAS326 (with versions V5.21(AAZF.16)C0 and earlier) and NAS542 (with versions V5.21(ABAG.13) C0 and earlier).
A few months later, threat actors started targeting the vulnerable endpoints.
A botnet is essentially a ‘network of bots’: compromised endpoints whose computing power and internet bandwidth can be used for malicious purposes.
Botnets are usually used for DDoS (Distributed Denial of Service) attacks or for lending bandwidth and IP addresses for illegal residential proxy services.
It is also worth mentioning that even though these two Zyxel NAS devices reached the end of their lifespan, the Taiwanese company still decided to restore them as some organizations have extended the warranty for the devices. If your organization uses these products, it is therefore wise to apply the patches immediately.
Furthermore, disconnecting it completely and replacing it with newer, supported models would be an even better solution.
Network storage devices such as these are often targeted by criminals, due to their importance in the organization and frequent misconfiguration. In addition to Zyxel, threat actors are constantly looking for D-Link or QNAP devices to attack. In fact, in early April, it was reported that thousands of discarded D-Link NAS devices had a very serious vulnerability that could allow attackers to execute malicious code, steal sensitive data, and trigger denial-of-service (DoS) attacks.
Through The register