Mirai-esque botnet is hitting Zyxel NAS devices

(Image credit: solarseven / Shutterstock)

A botnet, strikingly similar to the dreaded Mirai, is targeting Zyxel NAS instances that have passed their end-of-life date, new research has claimed. 

A report from the Shadowserver Foundation, a security organization that keeps track of cyber-threats, says the threat actors recently started scanning for one of the three flaws - CVE-2024-29973 - which is a command injection vulnerability. 

The goal, apparently, is to assimilate the endpoints into a botnet.  


In March 2024, cybersecurity researchers Outpost24 discovered three vulnerabilities in Zyxel’s network attached storage endpoints - CVE-2024-29973, CVE-2024-29972 and CVE-2024-29974. All three have a severity score of 9.8 (critical), and were found affecting NAS326 (running version V5.21(AAZF.16)C0 and earlier) and NAS542 (running versions V5.21(ABAG.13)C0 and earlier). 

Fast-forward a few months, and now threat actors have started targeting the vulnerable endpoints.

A botnet is essentially a “network of bots” - compromised endpoints whose computing power and internet bandwidth can be used for malicious purposes.

Botnets are usually used for distributed denial of service (DDoS) attacks, or for lending out bandwidth and IP addresses for illegal residential proxy services. 

It is also worth mentioning that while these two Zyxel NAS devices reached their end-of-life, the Taiwanese company still decided to patch them up, since some organizations have extended warranty for the devices. Therefore, if your organization is using these products, it would be wise to apply the patches immediately.

Furthermore, completely disconnecting and replacing them with newer, supported models, would be an even better solution.

Network attached storage devices such as these are often targeted by criminals, due to their importance in the organization, and frequent misconfiguration. Besides Zyxel, threat actors are constantly on the lookout for D-Link, or QNAP devices, to target. In fact, in early April, it was reported that thousands of end-of-life D-Link NAS devices came with a high-severity vulnerability that allowed attackers to run malicious code, steal sensitive data, and mount denial-of-service (DoS) attacks.

Via The Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.