In a significant development in cybersecurity, a new variant of the notorious Mirai botnet—dubbed “Mukashi”—is actively exploiting a newly discovered critical vulnerability affecting network-attached storage (NAS) devices. This attack aims to remotely compromise and commandeer vulnerable machines, reflecting an escalation in tactics employed by cybercriminals.
Mukashi employs brute-force techniques, systematically testing various combinations of default credentials to gain unauthorized access to Zyxel’s NAS, Unified Threat Management (UTM), Advanced Threat Protection (ATP), and Virtual Private Network (VPN) firewall products. Once a device is compromised, it becomes part of a sprawling botnet capable of launching Distributed Denial of Service (DDoS) attacks, severely disrupting targeted online services.
According to the Unit 42 team of Palo Alto Networks, multiple Zyxel NAS products running firmware versions up to 5.21 are susceptible to exploitation. The first instance of this vulnerability being exploited in real-world conditions was identified on March 12.
The Mukashi malware capitalizes on a pre-authentication command injection vulnerability (CVE-2020-9054) relating to a “weblogin.cgi” component within the Zyxel devices. Notably, a proof-of-concept exploit for this vulnerability became publicly accessible only recently. Researchers revealed that this flaw enables remote code execution via improper input sanitization during authentication processes.
Zyxel has responded by issuing a patch to address the vulnerability, prompted by reports that detailed exploitation techniques were being sold on underground cybercrime forums for exorbitant sums. However, users of older, unsupported models may still be at risk, as the patch does not cover these devices. Zyxel has advised users to enhance their security measures proactively, including avoiding exposing these devices directly to the Internet and utilizing security routers or firewalls for additional safeguards.
Mukashi operates similarly to other Mirai variants, scanning the Internet for IoT devices—such as routers and NAS devices—vulnerable due to the use of factory-default or weak passwords. Once it successfully logs into a device, Mukashi communicates back to its command-and-control server, awaiting further instructions for executing DDoS attacks.
When executed, Mukashi displays a message indicating that it is “Protecting your device from further infections,” simultaneously altering its process name to “dvrhelper.” This suggests that Mukashi might inherit and adapt features from its predecessor, amplifying the ongoing threat from the Mirai family of malware.
Since its inception in 2016, the original Mirai botnet has been linked to numerous high-profile DDoS attacks, including the disruption of key services provided by DNS service provider Dyn. With variants continually emerging, driven in part by the availability of Mirai’s source code, the need for heightened cybersecurity awareness has never been more critical.
Business owners are urged to ensure that their Zyxel devices are updated with the latest patches and to use complex passwords to further fortify their defenses against such brute-force exploitation attempts. Comprehensive awareness of these vulnerabilities and proactive measures are essential for mitigating the risks posed by the proliferation of botnet threats like Mukashi. For a full list of affected Zyxel products and to verify if a device is vulnerable, users can refer to the company’s support page.
