The new Mirai variant Mukashi is targeting Zyxel network attached storage (NAS)
devices using brute force attacks based on the default admin credentials and
then exploiting CVE-2020-9054.

Palo Alto Networks Unit 42 said almost all Zyxel NAS products
running firmware versions up to 5.21 are susceptible. CVE-2020-9054
is a pre-authentication command injection vulnerability, which may allow a
remote, unauthenticated attacker to execute arbitrary code on a vulnerable
device.

The vulnerability is rated as critical, primarily because it
is particularly easy to exploit, Unit 42 reported,
and the exploit code has been spotted on sale in dark web forums. There are
also indications some malicious actors are attempting to match up Mukashi and the
Emotet trojan.

“The executable weblogin.cgi doesn’t properly sanitize the
username parameter during authentication. The attacker can use a single quote ‘
to close the string and a semicolon ; to concat arbitrary commands to achieve
command injection. Since weblogin.cgi accepts both HTTP GET and POST requests,
the attacker can embed the malicious payload in one of these HTTP requests and
gain code execution,” Unit 42 said.

Mukashi finds its victim IoT devices much
like Mirai
by randomly scanning the TCP port 23 on devices it finds on the internet. When one
is found it begins a brute force attack running through a list of default credentials
and using them in different combinations. Once a device has been accessed it reports
back to its C2 server.

At this point the device, like those infected
with a standard version of Mirai, can be drafted into a botnet army and used to
launch a DDoS attack.

Mukashi differs from Mirai by not
using a conventional xor encryption, but replaces it with a custom decryption
routine to encrypt these commands and credentials.

The primary mitigation methods to protect
a Zyxel NAS unit, or any IoT device, is to immediately change the preset admin login
credentials to make sure it is running the latest firmware version.