June 24, 2024 at 10:41AM
Early attacks are targeting end-of-life Zyxel NAS boxes following the disclosure of three critical vulnerabilities. The Shadowserver Foundation observed attempts of remote command execution by a botnet and advised users to check for compromise signs. It’s recommended to patch affected devices or consider upgrading for enhanced security, given the lack of support for end-of-life devices.
Key takeaways from the meeting notes:
1. Active attacks are targeting end-of-life Zyxel NAS boxes after details of three critical vulnerabilities were made public, including CVE-2024-29973, a command injection flaw affecting Zyxel NAS326 and NAS542 devices.
2. The Shadowserver Foundation observed multiple remote command execution attempts by a Mirai-like botnet and advised affected Zyxel NAS owners to actively search for signs of compromise and apply patches immediately.
3. It may be advisable to replace the kit running on end-of-life devices, as vendors typically do not release security updates for such devices.
4. The vulnerabilities were discovered by an intern at Outpost24 and reported to Zyxel in March, with the bugs disclosed on June 4, including proof of concept (PoC) exploit code.
5. NAS devices are prime targets for cyberattacks, including ransomware, cryptominers, and botnet infections.
Recommendation:
Owners of affected Zyxel NAS326 and NAS542 devices should install the V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0 patches ASAP, respectively, or consider upgrading the kit for enhanced security.