Patch Now: Massive RCE Campaign Wrangles Routers Into Botnet

Nimble and able to pivot on the fly to take advantage of emerging vulnerabilities, a campaign named IZ1H9 has ramped up its malware development to target a range of unpatched router and Internet of Things (IoT) devices and add them to a widening botnet used to launch targeted distributed denial-of-service (DDoS) cyberattacks.

Researchers from FortiGuard Labs flagged the campaign, which was recently updated with 13 new payloads leveraging known vulnerabilities in D-Link devices; Netis wireless routers; Sunhillo SureLine; Geutebruck IP cameras; and Yealink Device Management, Zyxel devices, TP-Link Artcher, Korenix Jetwave, and Totolink routers.

"Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on Sept. 6, with trigger counts ranging from the thousands to even tens of thousands," the report said. "This highlights the campaign's capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs."

Fortinet recommends organizations apply patches and change default login credentials to prevent further attacks.