Attackers actively targeting vulnerable ZyXEL routers

By

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerabilities in ZyXEL products. TrueOnline is a major internet service provider in Thailand which distributes various rebranded ZyXEL routers to its customers.

Command Injection Vulnerability CVE-2017-18368

The ZyXEL P660HN-T router distributed by TrueOnline is prone to command injection vulnerability in the Remote System Log forwarding function. This function is accessible to an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.

The following exploit is spotted in the wild

This router has a command injection vulnerability in the Maintenance> Logs > System Log> Remote System Log forwarding function. The vulnerability is in the ViewLog.asp page, which is accessible unauthenticated. The attacker takes advantage of the vulnerability to bypass authentication by appending commands to remote_host parameter via the POST request.

The attacker downloads a malicious executable by injecting “wget”  command and saves it in the tmp directory . Then they set the permissions  of malicious file to 777, meaning this file will be readable, writable and executable by all users . The attacker then executes the malicious files and deletes it to leave no trace.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15168: ZyXEL Products Command Execution (CVE-2017-18368)
    • GAV: Tsunami.DN

This vulnerability is patched.

Threat Graph

IoCs:

107.174.133.119

b28a3fbf79afdbf3965b6890cb2a1a7c5a0bdb59e50e98f1e20389894c8d928b

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.