The notorious Mirai botnet has resurfaced, exploiting an operating system command injection vulnerability in numerous Zyxel network devices. Although Zyxel released a patch in April, it remains unclear how many users have applied the fix, leaving them exposed to potential attacks.
Security experts have raised concerns about the scale of exploitation, emphasizing the urgent need for users to patch the vulnerability as quickly as possible.
Anti-malware firms are closely monitoring the attacks, with Google’s VirusTotal malware-tracking site providing detailed information. The Zyxel-targeting Mirai malware is being distributed as an executable and linkable format (ELF) file, primarily infecting Linux and Unix systems.
Security firm Rapid7 has identified approximately 42,000 instances of Zyxel web interfaces publicly accessible on the internet, but this number doesn’t account for vulnerable VPN implementations, indicating the actual exposure could be much higher.
The Mirai code targeting Zyxel devices is a legacy of a botnet created by three Minecraft players in 2016. Exploiting well-documented default usernames and passwords, the original Mirai coders infected a wide range of Internet of Things devices.
Since then, different hacker groups have adapted the Mirai code for new campaigns, with the recent focus being on Zyxel networking devices.
With the recent patch released by Zyxel, the vulnerability (designated as CVE-2023-28771) has been addressed. However, attackers are taking advantage of unpatched systems, using a crafted packet to remotely execute operating system commands on vulnerable devices.
Security researchers have highlighted the critical nature of the flaw, as it targets a service that is publicly accessible and doesn’t require authentication.
