Security News > 2020 > April > Fast-Moving DDoS Botnet Exploits Unpatched ZyXel RCE Bug

That's according to researchers at Radware, who also said that it's notable how quickly Hoaxcalls operators have moved to weaponize the ZyXel bug, which as of this time of writing, has still not been addressed in a ZyXel advisory.
According to the Palo Alto Unit 42 researchers who found it, the original sample featured three DDoS attack vectors: UDP, DNS and HEX floods; and, it was seen infecting devices through two vulnerabilities: A DrayTek Vigor2960 remote code-execution vulnerability and a GrandStream Unified Communications remote SQL injection bug.
"While IoT botnet variants are common, these samples highlight not only the speed in which criminals move, but also the depth and scope of the campaigns run by DDoS operators," noted Radware researchers, in an analysis posted on Wednesday.
The addition of the unpatched bug exploit only widens the number of routers and IoT devices that can be used by Hoaxcalls going forward, Radware researchers noted - adding that they expect the attack surface to continue to widen.
"The campaigns performed by the actor or group behind XTC and Hoaxcalls include several variants using different combinations of propagation exploits and DDoS attack vectors," Radware researchers said in the analysis.
News URL
https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices (source)
- New Eleven11bot botnet infects 86,000 devices for DDoS attacks (source)
- Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Targets Over 6,000 Devices (source)
- CISA Warns of Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices (source)