Skip to main content

Mukashi: A New Mirai IoT Botnet Variant Targeting Zyxel NAS Devices

Mirai IoT Botnet Malware

A new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage (NAS) devices in an attempt to remotely infect and control vulnerable machines.

Called "Mukashi," the new variant of the malware employs brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall products to take control of the devices and add them to a network of infected bots that can be used to carry out Distributed Denial of Service (DDoS) attacks.

Multiple Zyxel NAS products running firmware versions up to 5.21 are vulnerable to the compromise, Palo Alto Networks' Unit 42 global threat intelligence team said, adding they uncovered the first such exploitation of the flaw in the wild on March 12.

Zyxel's Pre-Authentication Command Injection Flaw


Mukashi hinges on a pre-authentication command injection vulnerability (tracked as CVE-2020-9054), for which a proof-of-concept was only made publicly available last month. The flaw resides in a "weblogin.cgi" program used by the Zyxel devices, thereby potentially allowing attackers to perform remote code execution via command injection.

"The executable weblogin.cgi doesn't properly sanitize the username parameter during authentication. The attacker can use a single quote (') to close the string and a semicolon (;) to concat arbitrary commands to achieve command injection," according to Unit 42 researchers. "Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution."

Zyxel Mirai IoT Botnet

Zyxel issued a patch for the vulnerability last month after it emerged that precise instructions for exploiting the flaw were being sold in underground cybercrime forums for $20,000 for use against targets. But the update doesn't address the flaw on many older unsupported devices.

As a workaround, the Taiwan-based networking equipment maker has urged users of those affected models to not leave the products directly exposed to the Internet, and connect them to a security router or firewall for additional protection.

Mukashi Targets Zyxel NAS Devices


Just like other Mirai variants, Mukashi operates by scanning the Internet for vulnerable IoT devices like routers, NAS devices, security cameras, and digital video recorders (DVRs), looking for potential hosts that are protected only by factory-default credentials or commonly-used passwords to co-opt them into the botnet.

If a brute-force login turns out to be successful, Mukashi not only reports the login attempt to a remote attacker-controlled command-and-control (C2) server but also awaits further commands to launch DDoS attacks.

Mirai IoT Botnet

"When it's executed, Mukashi prints the message 'Protecting your device from further infections.' to the console," Unit42 researchers said. "The malware then proceeds to change its process name to dvrhelper, suggesting Mukashi may inherit certain traits from its predecessor."

Mirai's History of DDoS attacks


The Mirai botnet, since its discovery in 2016, has been linked to a string of large-scale DDoS attacks, including one against DNS service provider Dyn in October 2016, causing major internet platforms and services to remain inaccessible to users in Europe and North America.

Since then, numerous variants of Mirai have sprung up, in part due to the availability of its source code on the Internet since 2016.

It's recommended that all Zyxel consumers download the firmware update to protect devices from Mukashi hijacks. Updating default credentials with complex login passwords can also go a long way towards preventing such brute-force attacks.

The full list of Zyxel products affected by the flaw is available here. You can also test if a Zyxel NAS device is vulnerable here.

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...