'Mirai-like' botnet observed attacking EOL Zyxel NAS devices

There are early indications of active attacks targeting end-of-life Zyxel NAS boxes just a few weeks after details of three critical vulnerabilities were made public.

The Shadowserver Foundation, an internet security organization partnered with many of the world's top security agencies and vendors, said its scanners started beeping on Friday as it continues to monitor CVE-2024-29973.

It observed multiple remote command execution attempts "by a Mirai-like botnet" and advised owners of affected Zyxel NAS devices to actively search for signs of compromise, especially if the patches weren't applied immediately.

It also might be a good idea to just rip and replace the kit if it is still running, given that it's fairly uncommon for vendors to release security updates for devices that have already reached their end of support.

Shadowserver told us the Mirai-based botnet shares characteristics with its famous Linux botherder ancestor, without sporting "exactly the same code base as the original." We know that Mirai spun up once again last year with researchers at the time saying it was bolstered with an "aggressively updated arsenal of exploits," which included those for D-Link and, yes, Zyxel devices.

CVE-2024-29973 is one of the three critical bugs patched in early June, all of which received a near-maximum 9.8 severity rating. It's a command injection flaw affecting Zyxel NAS326 and NAS542 devices that could be exploited by unauthenticated attackers.

Shadowserver mentioned nothing of the other two – CVE-2024-29972 and CVE-2024-29974 – in its Friday update. The first is another command injection bug and the second a remote code execution flaw.

The vulnerabilities were discovered by an intern at Outpost24 and reported to Taiwan-based Zyxel in March. Both Timothy Hjort, the researcher, and Zyxel disclosed the bugs on June 4, with Hjort also providing proof of concept (PoC) exploit code in his write-up, meaning it was probably inevitable that these types of attacks would start cropping up.

• D-Link issues rip and replace order for besieged NAS drives
• That home router botnet the Feds took down? Moscow's probably going to try again
• Feds dismantle Russian GRU botnet built on 1,000-plus home, small biz routers
• Vast botnet hijacks smart TVs for prime-time cybercrime

NAS devices are prime targets for cyberattacks, usually involving ransomware. QNAP's boxes have been hit especially hard, with the Qlocker and DeadBolt variants in 2021 and 2022 garnering plenty of attention.

It's not just ransomware that threatens NAS devices generally, though. As Trend Micro's Stephen Hilt and Fernando Mercês said back in 2022, cryptominers and botnet operators saw opportunity in the Internet of Things long ago.

"Botnet infections and attacks have run rampant in IoT devices since 2016, mainly due to botnets' capability to spread infections to as many hosts as possible, all in the name of helping cybercriminals achieve their many aims, such as launching distributed denial-of-service (DDoS) attacks," they wrote. 

"NAS devices are ideal targets due to the minimal security defenses and protection installed in them, which are not enough once attackers have compromised one. Moreover, even older malware types and infections can remain undetected in these IoT devices for years due to lack of patching, further increasing the risks for NAS users due to the number of potential illicit use in addition to DDoS, such as information theft and proxy networks."

Owners of affected Zyxel NAS326 devices should install the V5.21(AAZF.17)C0 patch ASAP if they haven't already, and the V5.21(ABAG.14)C0 applies to the Zyxel NAS542. Or just upgrade the kit where possible for the most up-to-date security. ®