NewsCriminals Exploit Six-Year-Old Vulnerability to Infect Zyxel Routers with Malware for Botnet Activities

Malicious actors are attempting to compromise routers manufactured by Zyxel using a vulnerability dating back six years to install malware and incorporate the compromised devices into a botnet for executing distributed denial-of-service (DDoS) attacks. The targeted router model is the Zyxel P660HN-T1A, which has reached end-of-life since 2016 and no longer receives security updates.

The vulnerability (CVE-2017-18368) in the router allows unauthorized attackers to execute commands on the device. Despite the router’s lack of support since 2016, Zyxel’s latest firmware release still addresses the security flaw. However, attackers have been trying to infect vulnerable routers with the Gafgyt malware for several years, an issue that Zyxel themselves warned about in 2019.

Earlier this week, Fortinet reported ongoing attacks exploiting this vulnerability. In response, the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security issued a warning, urging federal government agencies to install firmware version 3.40(BYF.11). Following CISA’s alert, Zyxel stated users, reiterating that the P660HN-T1A is a legacy product that is no longer supported and should be replaced with new equipment.