Palo Alto Networks Experts discovered a new version the wrecker Mirai, dubbed Mukashi. This version uses brute force and various combinations of default credentials, and also penetrates Zyxel's devices to gain control over them and then use them for DDoS attacks.
Researchers explain that the Mukashi malware exploits the recently found and fixed vulnerability CVE-2020-9054, which affects several NAS models of the company (running firmware 5.21 and earlier) and allows arbitrary code to be executed remotely and without authentication on them. Let me remind you that on the CSSV vulnerability rating scale, the problem scored 10 points out of 10 possible.
The root of this problem lies in the weblogin.cgi file, a bug occurs due to incorrect cleaning of the username parameter. That is, if username includes certain characters, a vulnerability appears and it can be used to inject commands with web server privileges. After that, an attacker can use the setuid utility to run arbitrary commands with root privileges.
Even worse, it turned out that the vulnerability threatens not only the NAS of the company, as originally reported, but also poses a danger to 23 UTM, ATP and VPN firewalls with firmware versions from ZLD V4.35 Patch 0 to ZLD V4.35 Patch 2.
According to experts, Mukashi scans the network in search of vulnerable Zyxel devices from at least March 12, 2020. In addition, like other Mirai varieties, Mukashi explores the Internet for other vulnerable IoT devices (routers, NAS devices, cameras, and DRVs) that are protected only by the factory default settings or simple, common passwords.
Compromise indicators and technical details can be found on the Palo Alto Networks blog.