Gafgyt Malware Actively Attacking Zyxel Router Command Injection Flaw

The ZyXEL router has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user.

In the ever-evolving landscape of cyber threats, a resurgence of attacks on legacy devices has emerged. 

The targeted exploitation of the Zyxel P660HN-T1A v1 router exemplifies the persistence and adaptability of cyber criminals.

This article sheds light on the Zyxel Router Command Injection Attack, a vulnerability that continues to haunt the cybersecurity realm.

Unmasking the Vulnerability

The Zyxel P660HN-T1A router, a once-reliable networking tool, now stands as a cautionary tale of the risks associated with end-of-life devices. 

The command injection vulnerability, known by its CVE identifier – CVE-2017-18368, resides within the Remote System Log forwarder function of firmware version 3.40 (ULM.0) b3. 

This flaw allows malicious actors to remotely execute operating system commands through a carefully crafted HTTP request, even without authentication.

Despite efforts to mitigate the threat, the Zyxel P660HN-T1A router remains a target for attackers.

A variant of the Gafgyt malware has honed in on this vulnerability, infecting IoT devices from multiple brands.

Leveraging the outdated CVE-2017-18368, these attackers recruit compromised devices into botnets, perpetuating their malevolent activities. 

While a patch was issued by Zyxel in 2017, the vulnerability persists, as the router has reached its end-of-life, leaving it unsupported and vulnerable.

FREE Webinar

API Security Fundamentals: How to Discover, Scan and Protect APIs

API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar

Register Now

Tracking the Ongoing Threat

Feb 10, 2017: FortiGuard Labs introduced an Intrusion Prevention System (IPS) signature to detect and thwart Zyxel router attacks targeting CVE-2017-18368.

Aug 7, 2023: FortiGuard Labs continues to witness attack attempts exploiting the 2017 vulnerability, having successfully blocked thousands of unique IPS devices over the past month.

Aug 7, 2023: The Cybersecurity and Infrastructure Security Agency (CISA) has formally included CVE-2017-18368 in its Known Exploited Catalog.

In the face of this persistent threat, a multi-faceted approach to cybersecurity defense is essential:

Reconnaissance: Implement robust IPS solutions to identify and thwart attack attempts on vulnerable Zyxel routers.

Detection: Stay vigilant by monitoring and correlating crucial information to promptly identify outbreaks and generate informative reports.

Response: Develop proactive containment strategies, utilizing automated response mechanisms and seeking expert assistance for thorough analysis and response.

Recovery and Future Resilience

As organizations navigate the aftermath of such attacks, bolstering security posture and processes is imperative:

NOC/SOC Training: Equip network and security professionals with comprehensive training to optimize incident response and combat evolving cyber threats.

Security Awareness: Raise employee awareness regarding phishing, drive-by downloads, and other cyberattack vectors to fortify the human element of defense.

The Zyxel Router Command Injection Attack serves as a stark reminder that cybersecurity threats respect no boundaries, even with devices that have reached their end-of-life. Organizations must remain vigilant, embracing cutting-edge defense mechanisms and fostering a culture of security awareness. 

By heeding the lessons from this ongoing battle, we can better safeguard our digital landscapes from the relentless onslaught of cyber adversaries.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.