Another variant of the shape-shifting Mirai botnet is attacking Zyxel network-attached storage (NAS) devices using a critical vulnerability that was only recently discovered, according to security researchers.
The variant, dubbed Mukashi, takes advantage of a pre-authentication command injection vulnerability found in Zyxel NAS storage devices, according to researchers at Palo Alto Networks’ Unit 42 global threat intelligence team. A proof of concept for the vulnerability, CVE-2020-9054, was published publicly only last month.
“Mukashi brute forces the logins using different combinations of default credentials, while informing its command and control (C2) server of the successful login attempts,” Unit 42 Ken Hsu, Zhibin Zhang and Ruchna Nigam wrote in a blog post published Thursday.
Many and potentially all Zyxel NAS products running firmware versions up to 5.21 are vulnerable to compromise, they said.
“We’re aware of the CVE-2020-9054 vulnerability and already released firmware updates for the affected products immediately,’ a spokesperson for Zyxel wrote to Threatpost in response to email-based questions about the bug.
“We’ve been proactively communicating the issue to our customers on Zyxel Forum and through direct email alerts to urge customers to install the firmware updates or follow the workaround for optimal protection,” the company representative wrote.
Researchers Alex Holden, founder of Milwaukee-based security firm Hold Security, discovered the Zyxel NAS vulnerability last month when someone was selling precise instructions for how to exploit it on the cybercrime underground. He alerted Brian Krebs of KrebsonSecurity, who informed Zyxel of the exploit and published a report about the vulnerability, which he said can allow a threat actor to remotely compromise and take control of more than a dozen of Zyxel’s devices.
“This initial discovery also mentioned ‘the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet,’” according to Unit 42 researchers.
The Mirai botnet has been around in some form or another for some time. Source code for Mirai was released in October 2016 and since then numerous malware variants have been seen in the wild. The Internet of Things (IoT) botnet has been linked to major distributed denial of service (DDoS) attacks, and its multiple variants in the past several years have been indiscriminate in their targeting.
Mirai and its variants have been observed taking down technology such as routers, internet-based companies such as DNS providers, business sectors such as financial services, and horizontal players such as enterprise companies, to name a few. Mirai even has bolstered cybercriminals by giving the DDoS as a service industry prevalent on hacker forums a boost.
Mirai variants observed by researchers show a shift in focus in the last year to target hardware and processors, and the latest variant Mukashi bucks that trend. Mukashi shares some characteristics with previous Mirai variants as well as the Mirai botnet from which it was spawned, Unit 42 researchers wrote.
The variant operates by scanning the TCP port 23 of random hosts, brute forcing the logins using different combinations of default credentials. It then reports the successful login attempt to its C2 server, from which it is also capable of receiving C2 commands and launching DDoS attacks—a characteristic it shares with other Mirai variants, they said.
Before being fully deployed, Mukashi binds to the TCP port 23448 to ensure only a single instance of the botnet runs on the infected system, according to researchers. Then, once executed, Mukashi prints the message “Protecting your device from further infections” to the console, after which it changes its process name to “dvrhelper”–a name implies that implies Mukashi may also have inherited some of Mirai’s functionality, they wrote.
One thing that is different about Mukashi than other Mirai variants is its method of encryption, researchers noted. While those use conventional xor encryption, Mukashi uses a custom decryption routine to encrypt these commands and credentials, they said, providing a script for the encryption.
Zyxel has published a vendor advisory on the vulnerability as well as a website for testing whether a device is vulnerable.
On March 9, researchers identified over 16 security flaws in Zyxel’s Cloud CNM SecuManager software. Some of those bugs included multiple backdoors and hardcoded SSH server keys.