Fortinet has raised an alert regarding the Gafgyt botnet malware, which is currently targeting a vulnerability in the Zyxel EoL router. This vulnerability occurs during the router’s final phase and results in thousands of daily attacks.
what is Gafgyt?
Gafgyt is a type of malware that targets and takes control of vulnerable Internet-connected devices to launch cyber attacks, often participating in DDoS attacks.
Gafgyt targets the CVE-2017-18368, a command injection vulnerability of critical severity (CVSS v3: 9.8) in the forwarding mode of remote device logging systems. This vulnerability was patched by Zyxel in 2017.
Zyxel warned about the new Gafgyt variant in 2019, advising firmware updates. Yet, Fortinet still sees 7,100 daily attacks since July 2023, with ongoing high attack numbers.
“Until August 7, 2023, FortiGuard Labs has observed ongoing attack attempts on the 2017 vulnerability. In the last month alone, they’ve thwarted attacks on over a thousand distinct IPS devices,” states a recent Fortinet alert.
It is not clear which part of the attack attempts resulted in successful infections. Nevertheless, activity has remained flat since July.
The CISA he warned this week to actively exploit CVE-2017-18368 in this case, adding the vulnerability to the list of known vulnerabilities under attack. The cybersecurity agency now requires federal services to patch the Zyxel vulnerability by August 28, 2023.
In response to the growing exploit, Zyxel has updated its security advisory. They’ve informed customers that CVE-2017-18363 impacts only Appliances using firmware versions 18.104.22.168 v001/3.40(ULM.0)b31 or earlier.
Zyxel P660HN-T1A routers with the latest 2017 firmware (version 3.40(BYF.11)) remain unaffected by these attacks. However, the device has reached the end of its life cycle and is no longer supported. Therefore, it’s recommended to think about upgrading to a newer model.
Indicators of router botnet infections often involve connection issues, device overheating, settings changes, unresponsiveness, odd network activity, new ports opening, and unexpected reboots.
If you suspect a botnet attack, consider doing a factory reset, updating firmware, and changing admin user credentials.
Zyxel advises users to frequently update device firmware and consider replacing older devices with newer models for optimal data and network security.