VulnCheck wrote about 7777-Botnet with the following information:
7777-Botnet remains active, and VulnCheck used co-located services to theorize the botnet is infecting TP-Link, Xiongmai, and Hikvision devices using CVE-2017-7577, CVE-2018-10088, CVE-2022-45460, CVE-2021-36260, and/or CVE-2022-24355.
The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume.
The botnet doesn’t just start a service on port 7777. It also spins up a SOCKS5 server on port 11228.
#zyxel#security advisory for authentication bypass and command injection vulnerabilities in #NAS products
CVE-2023-35137 - improper authentication
CVE-2023-35138 - command injection
CVE-2023-37927 - improper neutralization of special elements
CVE-2023-37928 - post auth command injection
CVE-2023-4473 - command injection
CVE-2023-4474 - improper neutralization of special elements
Fortunately, Zyxel has released patches for these. Update to the latest #firmware.
Denmark's CERT (SektorCERT) reported that 22 companies that operate parts of Danish energy infrastructure were compromised in a May 2023 coordinated attack, linked to SANDWORM actors. Sandworm is a state-sponsored APT publicly attributed to Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST) by the U.S. government. The attackers leveraged a Zyxel vulnerability CVE-2023-28771 (9.8 critical) to gain control of the firewall. SektorCERT's incident response report includes a detailed analysis and timeline of the attack, recommendations and IOC. Link:https://media.licdn.com/dms/document/media/D4D1FAQG-Qsry8BH9dg/feedshare-document-pdf-analyzed/0/1699785104486?e=1700697600&v=beta&t=icNMQ-rDYgeSojoaax-1KpC7YrCF7MVtkrDClSFiKIY
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #22/2023 is out! It includes, but not only:
➝ 🇺🇸 🪖 Air Force denies running simulation where AI drone “killed” its operator
➝ 🇺🇸 🏂 #Burton Snowboards discloses #databreach after February attack
➝ 🇺🇸 🧪 Enzo Biochem #Ransomware Attack Exposes Information of 2.5M Individuals
➝ 🧠 🤖 Introducing Charlotte AI, #CrowdStrike’s Generative AI Security Analyst
➝ 🐍 🦠 Malicious #PyPI Packages Using Compiled #Python Code to Bypass Detection
➝ 🇰🇵 🎠 N. Korean ScarCruft Hackers Exploit LNK Files to Spread #RokRAT
➝ 🦠 📱 New Zero-Click Hack Targets #iOS Users with Stealthy Root-Privilege #Malware
➝ 🇷🇺 🇺🇸 #Russia says U.S. accessed thousands of #Apple phones in spy plot
➝ 🇯🇵 🚗 #Toyota Discloses New Data Breach Involving Vehicle, Customer Information
➝ ☁️ 👻 Organizations Warned of #Salesforce ‘Ghost Sites’ Exposing Sensitive Information
➝ 🔐 👀 #Amazon faces $30 million fine over Ring, Alexa #privacy violations
➝ 🔐 🧱 Active Mirai Botnet Variant Exploiting #Zyxel Devices for #DDoS Attacks
➝ 🇷🇺 🇺🇦 Russia’s ‘Silicon Valley’ hit by cyberattack; Ukrainian group claims deep access
➝ 🦠 🤖 #Spyware Found in #GooglePlay Apps With Over 420 Million Downloads
➝ 🦠 🚪 #RomCom malware spread via Google Ads for #ChatGPT, GIMP, more
➝ 👛 Southeast Asian hacking crew racks up victims, rapidly expands criminal campaign
➝ 🍏 #Microsoft finds #macOS bug that lets hackers bypass SIP root restrictions
➝ 🦠 🚪 #Barracuda zero-day abused since 2022 to drop new malware, steal data
➝ 🇬🇷 Worst cyberattack in #Greece disrupts high school exams, causes political spat
➝ 🇮🇳 🎠 Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian #Android Users
➝ 🇺🇸 U.S. Department of Defense releases 2023 Cyber Strategy
➝ 📱☝🏻 New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force
➝ 🇯🇵 🎠 New GobRAT Remote Access #Trojan Targeting #Linux Routers in #Japan
➝ 🦠 📂 Clever ‘File Archiver In The Browser’ phishing trick uses #ZIP domains
📚 This week's recommended reading is: "Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks" by Scott J. Shapiro
Subscribe to the #newsletter to have it piping hot in your inbox every Sunday ⬇️
Analysis of #Zyxel firewall #RCE vulnerability CVE-2023-28771
“A caller-supplied error message is being written to a log file by constructing a system command and executing this command via a call to system to perform the write.”
Lost my toot on it from last month, but I recommend you patch any #Zyxel Zywall devices for CVE-2023-28771 - it's super exploitable, pre-auth and facing to internet by design. #CVE202328771#vulnerabilities