A new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage (NAS) devices in an attempt to remotely infect and control vulnerable machines.
Called “Mukashi,” the new variant of the malware employs brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall products to take control of the devices and add them to a network of infected bots that can be used to carry out Distributed Denial of Service (DDoS) attacks.
Multiple Zyxel NAS products running firmware versions up to 5.21 are vulnerable to the compromise, Palo Alto Networks’ Unit 42 global threat intelligence team said, adding they uncovered the first such exploitation of the flaw in the wild on March 12.
Zyxel’s Pre-Authentication Command Injection Flaw
Mukashi hinges on a pre-authentication command injection vulnerability (tracked as CVE-2020-9054), for which a proof-of-concept was only made publicly available last month. The flaw resides in a “weblogin.cgi” program used by the Zyxel devices, thereby potentially allowing attackers to perform remote code execution via command injection.
“The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote (‘) to close the string and a semicolon (;) to concat arbitrary commands to achieve command injection,” according to Unit 42 researchers. “Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.”
images from Hacker News