Show vulnerabilities with patch / with exploit
24 March 2020

New Mirai variant “Mukashi” aimes at unpatched Zyxel NAS devices


New Mirai variant “Mukashi” aimes at unpatched Zyxel NAS devices

A new version of the infamous Mirai malware has been discovered that targets a recently disclosed critical vulnerability in network-attached storage (NAS) devices. Dubbed Mukashi, the new variant exploits the CVE-2020-9054 vulnerability (PoC exploit for which was made publicly available last month) in unpatched Zyxel NAS devices to remotely infect and control vulnerable machines, according to Palo Alto Networks' Unit 42 threat intelligence team.

Mukashi leverages brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall products. Multiple Zyxel NAS products running firmware versions up to 5.21 are vulnerable to this threat, the researchers say.

The flaw has a critical rating (i.e CVSS v3.1 score of 9.8) and is trivial to exploit, Unit 42 warns. CVE-2020-9054 resides in a "weblogin.cgi" program used by the Zyxel devices, potentially allowing attackers to perform remote code execution via command injection.

“The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote ‘ to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution,” the analysis reads.

The research team first spotted the Mukashi’s activity on March 12, when the threat actor attempted to download a shell script to the tmp directory, execute the downloaded script, and remove the evidence on a vulnerable device.

Once it has infected a device, the Mukashi bot performs brute-force attacks in the attempt to compromise other IoT devices on the network and reports to its command and control server if a login attempt has been successful.

Mukashi uses combinations of default credentials (like t0talc0ntr0l4! or taZz@23495859) to compromise other systems. Just like other Mirai versions, Mukashi supports various commands, including launching DDoS attacks.

“When it’s executed, Mukashi prints the message “Protecting your device from further infections.” to the console. The malware then proceeds to change its process name to dvrhelper, suggesting Mukashi may inherit certain traits from its predecessor,” the researchers say.

Zyxel issued a patch for the vulnerability last month, though the update does not cover affected NAS products that reached end-of-support in 2016 or earlier.

Back to the list

Latest Posts

Vulnerability summary for the week: March 27, 2020

Vulnerability summary for the week: March 27, 2020

Weekly vulnerability digest.
27 March 2020
Unpatched iOS bug prevents VPN apps from encrypting all traffic

Unpatched iOS bug prevents VPN apps from encrypting all traffic

Affected versions of iOS fail to close existing internet connections when a user connects to a VPN.
27 March 2020
Rare BadUSB attack detected in the wild

Rare BadUSB attack detected in the wild

This case is a perfect example of how simple social engineering, a Best Buy gift card, and an BadUSB device could be used to compromise a company.
27 March 2020