The new Mirai variant Mukashi is targeting Zyxel network attached storage (NAS) devices using brute force attacks based on the default admin credentials and then exploiting CVE-2020-9054.
Palo Alto Networks Unit 42 said almost all Zyxel NAS products running firmware versions up to 5.21 are susceptible. CVE-2020-9054 is a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.
The vulnerability is rated as critical, primarily because it is particularly easy to exploit, Unit 42 reported, and the exploit code has been spotted on sale in dark web forums. There are also indications some malicious actors are attempting to match up Mukashi and the Emotet trojan.
“The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote ‘ to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution,” Unit 42 said.
Mukashi finds its victim IoT devices much like Mirai by randomly scanning the TCP port 23 on devices it finds on the internet. When one is found it begins a brute force attack running through a list of default credentials and using them in different combinations. Once a device has been accessed it reports back to its C2 server.
At this point the device, like those infected with a standard version of Mirai, can be drafted into a botnet army and used to launch a DDoS attack.
Mukashi differs from Mirai by not using a conventional xor encryption, but replaces it with a custom decryption routine to encrypt these commands and credentials.
The primary mitigation methods to protect a Zyxel NAS unit, or any IoT device, is to immediately change the preset admin login credentials to make sure it is running the latest firmware version.