New Mirai Variant Exploits NAS Device VulnerabilityResearchers: Mukashi Botnet Can Use Infected Devices to Launch DDoS Attacks
Security researchers are tracking a variant of the prolific Mirai botnet called Mukashi that’s taking advantage of vulnerabilities in network-area storage devices made by Zyxel and giving its operators the ability to launch distributed denial-of-service attacks. Zyxel has issued a patch for the vulnerability.
The operators of this new botnet are expanding their internet of things network by taking advantage of a vulnerability identified in February and designated as CVE-2020-9054, which affects Zyxel NAS devices using older instances of the company's firmware up to version 5.21, according to researchers at Palo Alto Networks' Unit 42.
This flaw is described as a "pre-authentication command injection vulnerability," which can allow attackers to executive arbitrary code within a vulnerable device, the researchers say. While there is a proof-of-concept attack designed to take advantage of this vulnerability, Zyxel has released a patch to fix the flaw.
"A remote code execution vulnerability was identified in the weblogin.cgi program used in Zyxel NAS and firewall products," according to Zyxel. "Missing authentication for the program could allow attackers to perform remote code execution via [operating system] command injection."
Zyxel also noted, however, that NAS products that reached end-of-support in 2016 or earlier would not receive updates and could still be vulnerable. The company advised customers to not leave these older devices "directly exposed to the internet."
To build this new botnet, the operators of Mukashi attack vulnerable and unpatched Zyxel NAS devices using brute-force methods to guess combinations of passwords and usernames. If the brute-force attack is successful, the malware infects the device and then communicates back to a command-and-control server, adding the device to the botnet, according to Unit 42.
And while the Mukashi botnet is fairly new - researchers first noticed the operators scanning for vulnerable devices on March 12 - it retains some of the same properties as Mirai, including the ability to communicate with a command-and-control server and the capability of launching a DDoS attack, according to Unit 42.
"It’s not surprising that the threat actors weaponized this vulnerability and start wreaking havoc in the internet of things realm," the Unit 42 report states.
The researchers, however, do not indicate that such a DDoS attack has actually been waged.
Mukashi uses a custom decryption routine to encrypt commands and credentials, instead of the previous encryption methods used with Mirai, according to Unit 42.
Mirai is still best known for its use in a massive DDoS attack that took down large portions of the internet in October 2016 by taking advantage of vulnerabilities in hundreds of thousands of compromised devices. Researchers found that the malware used to build the botnet was coded as a worm, so once it infected a device, it searched for other such devices to infect (see: Can't Stop the Mirai Malware).
And while three of Mirai's co-authors were convicted and sentenced for creating the botnet, the code they used remains available for other cybercriminals to modify for their own purposes (see: Mirai Botnet Code Gets Exploit Refresh).