A new version of the infamous Mirai malware has been discovered that targets a recently disclosed critical vulnerability in network-attached storage (NAS) devices. Dubbed Mukashi, the new variant exploits the CVE-2020-9054 vulnerability (PoC exploit for which was made publicly available last month) in unpatched Zyxel NAS devices to remotely infect and control vulnerable machines, according to Palo Alto Networks' Unit 42 threat intelligence team.
Mukashi leverages brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall products. Multiple Zyxel NAS products running firmware versions up to 5.21 are vulnerable to this threat, the researchers say.
The flaw has a critical rating (i.e CVSS v3.1 score of 9.8) and is trivial to exploit, Unit 42 warns. CVE-2020-9054 resides in a "weblogin.cgi" program used by the Zyxel devices, potentially allowing attackers to perform remote code execution via command injection.
“The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote ‘ to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution,” the analysis reads.
The research team first spotted the Mukashi’s activity on March 12, when the threat actor attempted to download a shell script to the tmp directory, execute the downloaded script, and remove the evidence on a vulnerable device.
Once it has infected a device, the Mukashi bot performs brute-force attacks in the attempt to compromise other IoT devices on the network and reports to its command and control server if a login attempt has been successful.
Mukashi uses combinations of default credentials (like t0talc0ntr0l4! or taZz@23495859) to compromise other systems. Just like other Mirai versions, Mukashi supports various commands, including launching DDoS attacks.
“When it’s executed, Mukashi prints the message “Protecting your device from further infections.” to the console. The malware then proceeds to change its process name to dvrhelper, suggesting Mukashi may inherit certain traits from its predecessor,” the researchers say.
Zyxel issued a patch for the vulnerability last month, though the update does not cover affected NAS products that reached end-of-support in 2016 or earlier.