[ Please advise of any Zyxel firewalls in use on a CUNY network or facility – Robert ]
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: A critical vulnerability affecting Zyxel firewalls is being widely exploited by hackers, according to a report published this week by cybersecurity firm Rapid7 (weblink below). The vulnerability, tracked as CVE-2023-28771, is exploitable in the wide area network (WAN) interface, a port on a device that connects it to the internet. WAN interfaces are commonly found on devices such as routers, switches, and network appliances. It’s the latest in a series of bugs found in products from Taiwan-based Zyxel, which sells networking hardware and other services, typically to small- and medium-sized organizations. According to Rapid7, the current vulnerability exists in the default configuration of exploitable devices, and a device does not need to have a VPN configuration to be vulnerable. Successful exploitation of the bug allows hackers to execute malicious code remotely on the target system to install malware.
Rapid7 Report: hxxps://www.rapid7[.]com/blog/post/2023/05/31/etr-widespread-exploitation-of-zyxel-network-devices/
NYSIC CAU Analyst Note: As of the end of May, the Zyxel vulnerability had been widely used to compromise devices to carry out further attacks through a version of the notorious Mirai botnet, according to Rapid7. Mirai is commonly used to launch distributed denial of service (DDoS) attacks, but is capable of other tasks, too. Zyxel released patches for CVE-2023-28771 in April (weblink below) and urges users to install them for protection. Recently the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the Zyxel vulnerability to its exploited vulnerability catalog, urging federal agencies to apply the available update by June this year.
Zyxel Security Advisory: hxxps://www.zyxel[.]com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls
Sources:
hxxps://thehackernews[.]com/2023/06/active-mirai-botnet-variant-exploiting.html
hxxps://www.infosecurity-magazine[.]com/news/zyxel-customers-urged-patch/
hxxps://www.helpnetsecurity[.]com/2023/06/01/cve-2023-28771-exploited/
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private Sector
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.