IZ1H9 Campaign Strikes IoT Devices with Aggressive DDoS Attacks

Rapid Vulnerability Exploits Raise Alarms, Highlighting IoT Security Concerns

A new wave of distributed denial-of-service (DDoS) attacks has emerged, orchestrated by the Mirai-based IZ1H9 campaign, targeting Linux-based routers and Internet of Things (IoT) devices from prominent vendors like D-Link, Netis, and Zyxel. The IZ1H9 campaign has captured the attention of cybersecurity experts due to its aggressive tactics and the speed with which it leverages recently discovered vulnerabilities.

Fortinet’s FortiGuard Labs revealed in a blog post on October 9 that the IZ1H9 campaign is amplifying its impact through rapid exploitation of vulnerabilities. The attackers have managed to infect vulnerable devices and significantly expand their botnet by employing recently released exploit code, which capitalizes on numerous critical Common Vulnerabilities and Exposures (CVEs).

Once an attacker gains control of a vulnerable device, they can integrate these compromised devices into their botnet, granting them the ability to launch more DDoS and brute-force attacks. FortiGuard strongly advises organizations to apply patches promptly when available and to always change default login credentials for their IoT devices.

“IoT devices have long been an attractive target for threat actors, with remote code execution attacks posing the most common and concerning threats to both IoT devices and Linux servers,” wrote FortiGuard researchers. “The exposure of vulnerable devices can result in severe security risks. Despite the availability of patches for these vulnerabilities, the number of exploit triggers remains alarmingly high, often numbering in the thousands.”

The surge in exploitable vulnerabilities in IoT devices is attributed to the complexity of these devices and the wide array of variables that must be considered. John Gallagher, Vice President of Viakoo Labs, explained that IoT devices lack standard operating systems, which means that vulnerabilities mitigated in traditional operating systems like Windows or Linux may persist in IoT devices, such as routers.

“Whether in remote offices, home offices, warehouses, or factory floors, many organizations have powerful network-connected devices that are outside the direct management of IT,” noted Gallagher. “Almost all organizations have security policies—the question is whether they are enforced or have specific exemptions granted. The use of an agentless asset discovery solution, as well as application-based discovery, can provide a starting point for securing your asset inventory and identifying the most critical systems at an application level.”

Timothy Morris, Chief Security Advisor at Tanium, stressed the importance of users installing updates provided by vendors to safeguard their devices against such attacks.

Most of these vulnerable devices are likely found in homes and small businesses, where they are often unmanaged, making them easy targets for growing the Mirai botnet, as Morris explained. The attackers install a payload containing a shell script, delete logs, alter device configurations, and modify iptables to obscure their activities and enable communication with the compromised devices.

John Bambenek, Principal Threat Hunter at Netenrich, cautioned that in times of geopolitical unrest, DDoS attacks are likely to increase. He emphasized the direct correlation between the size of a botnet and the frequency of attacks and outages, making the need for robust IoT security more pressing than ever.

Leave a Reply