Palo Alto Networks experts have discovered a new version of the Mirai malware, famous as Mukashi, which scans the network, searches for and attacks Zyxel devices.
This version uses brute force and various combinations of default credentials, and penetrates Zyxel’s devices to gain control over them and then use them for DDoS attacks. Mirai is more than a botnet, it is a complex basic architecture for malware, for example, we reported about an Ares IoT botnet, which mainly infects Android consoles manufactured by HiSilicon, Cubetek and QezyMedia, which is built on the Mirai basis.Mukashi malware exploits the recently found and fixed vulnerability CVE-2020-9054, which affects several NAS models of the company at once (running firmware 5.21 and earlier) and allows arbitrary code to be executed remotely and without authentication on them”, – explain the researchers.
Let me remind you that on the vulnerability assessment scale this problem scored 10 points out of 10 possible.
The root of this problem lies in the weblogin.cgi file, a bug occurs due to incorrect cleaning of the username parameter. That is, if username includes certain characters, a vulnerability appears and it can be used to inject commands with web server privileges. After that, an attacker can use the setuid utility to run arbitrary commands with root privileges.
Worse, it turned out that the vulnerability threatens not only the NAS of the company, as originally reported, but also poses a threat to 23 UTM, ATP and VPN firewalls with firmware versions from ZLD V4.35 Patch 0 to ZLD V4.35 Patch 2”, – say the researchers.
According to experts, Mukashi scans the network in search of vulnerable Zyxel devices from at least March 12, 2020. In addition, like other Mirai variants, Mukashi explores the Internet for other vulnerable IoT devices (routers, NAS devices, cameras, and DRVs) that are protected only by the factory default settings or simple, commonly used passwords.
Compromise indicators and technical details can be found on the Palo Alto Networks blog.
Mitigation
Updating the firmware is highly recommended to keep the attackers at bay. Complex login passwords are also advised to prevent brute forcing.