Mirai-like Botnet Targets Zyxel NAS Devices in Europe for DDoS Attacks
Zyxel NAS devices are under attack! Mirai-like botnet exploits a recent vulnerability (CVE-2024-29973). Patch Now to Prevent Takeover! Learn how to secure your NAS from potential hijacking and DDoS attacks.
A new botnet, eerily similar to the notorious Mirai botnet, has been discovered targeting two “discontinued” Zyxel Network Attached Storage (NAS) devices across Europe.
Outpost24 Vulnerability Research Department reported three critical vulnerabilities in Taiwanese networking device manufacturer Zyxel’s NAS-running endpoints in March 2024.
Now Censys researchers report that a Mirai-like botnet is targeting these vulnerable endpoints, potentially allowing operators to gain root privileges to execute malicious code, steal sensitive data and install malware.
These ‘critical’ vulnerabilities are tracked as CVE-2024-29973 (Python Code Injection Vulnerability), CVE-2024-29972 (NsaRescueAngel Backdoor Account), and CVE-2024-29974 (Persistent Remote Code Execution Vulnerability), all having a CVSS score of 9.8.
These specifically affect outdated Zyxel NAS models NAS326 (versions before V5.21(AAZF.16)C0) and NAS542 (versions before V5.21(ABAG.13)C0). These models have reached their end-of-life, but the Taiwanese company decided to patch them up due to extended warranty for some organizations.
Security threats monitor Shadowserver Foundation reports that threat actors scan CVE-2024-29973 to assemble endpoints into a botnet. IBM X-Force discovered this remote code injection flaw last year, following Zyxel’s patching of CVE-2023-27992.
CVE-2024-29972 and CVE-2024-29973 are command injection bugs exploited via crafted HTTP POST requests without authentication, while CVE-2024-29974 allows attackers to execute arbitrary code via crafted configuration files. A proof-of-concept is available here.
Once compromised, these devices become part of a botnet, potentially used to launch DDoS attacks against critical infrastructure or businesses. Europe is particularly vulnerable, with 1,194 Zyxel devices exposed overall, including 197 hosts in Italy, 166 in Russia, 149 in Hungary, and 144 in Germany.
Outpost24 security…
