A new variant of the Mirai malware is attacking Zyxel network-attached storage (NAS) devices using a vulnerability that was only discovered last month.
According to security researchers at Palo Alto Networks’ Unit 42 threat intelligence team, the Mukashi variant uses a pre-authentication command injection vulnerability found in the affected devices. It has critical rating (ie CVSS v3.1 score of 9.8) due to its trivial-to-exploit nature.
“Mukashi brute forces the logins using different combinations of default credentials, while informing its command and control (C2) server of the successful login attempts,” Unit 42 Ken Hsu, Zhibin Zhang and Ruchna Nigam said in a blog post.
Zyxel devices with firmware versions up to 5.21 are vulnerable to this attack.
The flaw is down to a executable weblogin.cgi that doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote ‘ to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.
Researchers said that the first incident happened at 19:07 (UTC) on March 12, 2020. A hacker attempted to download a shell script to the tmp directory, execute the downloaded script, and remove the evidence on a vulnerable device.
They added that the Mukshi bot scans the TCP port 23 of random hosts, brute forces the logins using different combinations of default credentials, and reports the successful login attempt to its C2 server. Like other Mirai variants, Mukashi is also capable of receiving C2 commands and launching DDoS attacks.
“When it’s executed, Mukashi prints the message “Protecting your device from further infections.” to the console. The malware then proceeds to change its process name to dvrhelper, suggesting Mukashi may inherit certain traits from its predecessor,” researchers said.
Beforehand, Mukashi binds to the TCP port 23448 in order to ensure only a single instance is running on the infected system.
Pascal Geenens, security evangelist at Radware, told SC Media UK that the most obvious way of mitigating the vulnerability, as with most vulnerabilities exploited by IoT malware, is to update the affected device.
“Automated updates would be the best line of defence for IoT, if only it was widely supported on the devices. Since most devices only provide obscure update procedures and owners are not tuned in to the security community or the vendor’s security advisories, vulnerabilities that are older than the concept of IoT itself, are still successfully leveraged by existing Mirai deployments,” he said.
“Many IoT devices with known vulnerabilities are out of support and vendors do not provide updates anymore. These should be replaced by newer, supported devices. However, it is not common for consumers to replace devices based on security concerns, their motivation for replacement are failures and features.”
Chris Bates, VP security strategy at SentinelOne, told SC Media UK that many embedded devices can be difficult or impossible to patch, it’s easy to see that even a device bought today and protected by strong credentials could become a risk in the future when its OS or firmware have been found to contain exploitable bugs.
“Without a full and updated inventory of what’s running on your network, the danger of “forgetting” about devices that could at some point be exploited is one that businesses can’t afford to ignore,” he said. “First, implement and enforce a password policy for your IoT devices just like you would for any other device. Second, ensure you have the tools for full network visibility and control so that forgotten assets can be discovered and managed.”