A five-year-old vulnerability is currently being exploited in Zyxel P660HN-T1A routers to introduce a Gafgyt malware variant onto target networks. An outbreak alert has been issued by Fortinet to inform users that this end-of-life router running versions before 7.3.15.0 v001/ 3.40 (ULM.0)b31 is being actively targeted in the wild. Zyxel published a security advisory back in 2019 about this vulnerability and the ability for attackers to exploit it to use the then-new Gafgyt variant to create a botnet of internet of things (IoT) devices. Unit42 security researchers at Palo Alto Networks investigated these 2019 attacks, which at the time also affected Huawei and Realtek routers, where the botnets were used to cause denial of service (DoS) on popular gaming servers, specifically those using the Valve source engine.
This actively exploited legacy flaw is tracked as CVE-2017-18368 and has been assigned a critical severity rating, with a CVSS base score of 9.8/10. This is a command injection vulnerability that is found in the Remote System Log of vulnerable routers, affecting the forwarding function. An unauthenticated attacker can access this function and exploit the vulnerability through the remote_host parameter in the ViewLog.asp page. Attackers can then deploy the Gafgyt variant through performing remote code execution on the device. This malware can then spread across the network to IoT devices which are often left vulnerable as users neglect to patch or update these systems. This creates a botnet of these IoT devices which can be used by the attackers or sold on forums to provide botnet capabilities to less sophisticated cyber criminals.
Although this vulnerability was patched by Zyxel in firmware version 3.40 back in 2019, the P660HN-T1A routers are now end-of-life products and have reached the end of their support life. The US Cybersecurity and Infrastructure Security Agency (CISA), a part of the US government, has recently added this vulnerability to their Known Exploited Vulnerabilities Catalog, confirming the current exploitation of this flaw encouraging all organisations to mitigate it as soon as possible. As this is an end-of-life product the best mitigation steps to take is to discontinue using it and replace it with a supported alternative that will continue to receive maintenance and security updates when required. Continuing to use vulnerable devices such as unpatched IoTs or end-of-life products puts network at risk but can also in cases such as this cause your network to become compromised in a way that will cause DoS to you as well as those targeted by the botnet, as your devices have been occupied, also costing you high data fees. Users should therefore patch and replace these vulnerable devices to mitigate these possible consequences of attack.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)