An Akamai researcher identified attempts to exploit Log4j flaws in ZyXEL networking devices to infect and spread malware used by the Mirai botnet. Larry Cashdollar of Akamai Technologies’ Security Incident Response Team clarified that ZyXEL may have been targeted deliberately since they released a blog stating that they were impacted by the Log4j vulnerability.
“The first sample I examined contained functions to scan for other vulnerable devices,” as written by Cashdollar in an Akamai blog post. “The second sample… did contain the standard Mirai attack functions,” he added. “It appears the… attack vectors had been removed in favor of Log4j exploitation. Based on the attack function names and their instructions, I believe this sample is part of the Mirai malware family.”
According to Cashdollar’s blog post, this payload might run if you have automatic string extraction programs for malware samples that log to a vulnerable Log4j instance. ZyXEL issued a security alert on the vulnerability, stating that it is aware of the flaw and that it only affects the NetAtlas Element Management System product line.
They wrote that they’ve detected only one susceptible product that is still under warranty and support, and they’ll be releasing a hotfix and a patch to remedy the problem. ZyXEL said a hotfix was published on December 20 and that anyone who needs it should contact them. A patch will be available by February end.
The ZyXEL NetAtlas Element Management System, as per Vulcan Cyber co-founder Tal Morgenstern, is designed to enable broad management over ZyXEL business network infrastructure and the services that run on it.
Morgenstern explained that in the right hands, the task automation offered by systems management technologies allows IT and network operators to keep things running at a vast scale without interruption. In the wrong hands, threat actors can swiftly cause significant harm to vulnerable networks if they get access to them.