An Akamai researcher has discovered an attempt to use Log4J vulnerabilities in ZyXEL networking devices to “infect and assist in the proliferation of malware used by the Mirai botnet.”
Larry Cashdollar, a member of the Security Incident Response Team at Akamai Technologies, explained that Zyxel may have been specifically targeted because they published a blog noting they were impacted by the Log4J vulnerability.
“The first sample I examined contained functions to scan for other vulnerable devices. All of the devices or software frameworks listed in the functions below are vulnerable to remote code execution,” he wrote.
“The second sample…no longer contained the above exploitation functions, but it did contain the standard Mirai attack functions. It appears the above attack vectors had been removed in favor of Log4j exploitation. Based on the attack function names and their instructions I believe this sample is part of the Mirai malware family.”
He added that one of the interesting things about the malware was “if you have automated string extraction utilities for malware samples that log to a vulnerable Log4j instance, this payload could execute.”
“Doing so could possibly, depending on your setup, infect your malware analysis system. Again, patching your vulnerable systems is the key here to protect your servers from compromise,” Cashdollar said.
Zyxel released a security advisory about the issue, noting that it is aware of the vulnerability and that it only affects the NetAtlas Element Management System line of products.
“After a thorough investigation, we’ve identified only one vulnerable product that is within its warranty and support period, and we will release a hotfix and a patch to address the issue, as shown in the table below,” they wrote.
Zyxel said a hotfix was released on December 20 and urged those in need to contact them for the file. A patch will be available by the end of February.
Vulcan Cyber co-founder Tal Morgenstern said that by design, the Zyxel NetAtlas Element Management System provides extensive control of Zyxel enterprise network infrastructure and the services that run on it.
In the right hands, the task automation provided by systems management tools allows IT and network operators to keep things running uninterrupted at massive scale, Morgenstern explained, adding that in the wrong hands, threat actors can do extensive damage quickly to the vulnerable networks they get access to.
“Unfortunately, vulnerabilities in systems and network management software tools are trending. SolarWinds, Open Management Infrastructure (OMI), Salt, VMware, and Zoho ManageEngine are just a few we’ve seen in the last few months. Considering the amount of access and control these tools have, it is critical IT security teams take immediate steps to fully mitigate the notable risk these vulnerable tools present to the companies that use them,” Morgenstern said.
“Zyxel has a patch available for NetAtlas EMS but the patch isn’t going to help if IT security teams aren’t diligent about maintenance. Apply the Zyxel patch and make sure to eliminate direct Internet access to NetAtlas EMS software from if at all possible. If threat actors get access to systems management tools like NetAtlas, they get keys to your kingdom.”
Bugcrowd founder Casey Ellis told ZDNet that this is one of the many vendors which include Log4J as an open-source library and that the attack “is a demonstration of the ubiquity of the Log4J library and the attack surface created as a result.
“It’s one of the reasons the security community went a bit bananas about this issue when it first dropped, and I’d expect to see similar advisories from other vendors for some time to come,” Ellis said.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
