There is a new variant of the Mirai botnet called Mukashi. The attackers are primarily looking at unpatched Zyxel devices on which the botnet is to be installed. The malware, called Mukashi uses brute force attacks with various combinations of standard credentials to log in to Zyxel NAS devices. The malware then tries to take control of these devices and add them to a botnet. The botnet can be used to carry out DDoS attacks.
Pre Authentication Command Vulnerability
Multiple ZyXEL devices contain a pre authentication command injection vulnerability that could allow a remote attacker to run arbitrary code on a vulnerable device without logging in. This security warning was issued on March 2020.
Mukashi hinges on a pre-authentication command injection vulnerability (tracked as CVE-2020-9054), for which a proof-of-concept was only made publicly available last month. Mukashi has exploited the vulnerability in Zyxel NAS devices with firmware version. Then remote code execution attacks are carried out, as security researchers are observed. The malware has been scanning the ports for potential targets since last week and is launching brute force attacks to circumvent common combinations of usernames and passwords. Once the login has been bypassed, Mukashi connects to a command and control server that can issue commands to perform DDoS attacks. When analyzing the code of the Mukashi malware, the security researchers, despite the differences correspond to the Mirai botnet. At the end of 2019, the Mirai botnet paralyzed large parts of the internet or slowed down websites due to DDoS attacks. The Mirai source code was published online, giving cybercriminals the tools to build a botnet. Zyxel patched the vulnerability affecting network attached storage and firewall products last month, and it is strongly recommended that all Zyxel users install the firmware update to protect the devices from Mukashi attacks.
