[German]There is a new variant of the Mirai botnet called Mukashi. The attackers are targeting unpatched Zyxel NAS devices on which the botnet will be installed.
ZyXEL vulnerability CVE-2020-9054
Multiple ZyXEL network attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow a remote attacker to execute arbitrary code on a vulnerable device without logging in. This security warning was issued on February 24, 2020. I had reported this in the blog post Vulnerability Vulnerability CVE-2020-9054 in ZyXEL NAS devices.
Mukashi botnet targets Zyxel NAS devices
ZDNet reports here, that cyber criminals are specifically exploiting the CVE-2020-9054 vulnerability to attack Zyxel NAS devices. The malware, called Mukashi, uses brute force attacks with various combinations of standard credentials to log on to Zyxel NAS devices. The malware then attempts to take control of these devices and add them to a botnet. The botnet can be used to perform Distributed Denial of Service (DDoS) attacks, for example.
Mukashi exploits the above mentioned vulnerability (CVE-2020-9054) in Zyxel NAS devices with firmware version 5.21. Remote code execution attacks are then executed, as security researchers from Palo Alto Networks have observed. The malware has been scanning TCP ports for potential targets and launching brute force attacks to bypass common username/password combinations since at least March 12th. Once the logon has been bypassed, Mukashi connects to a command and control server that can issue commands to perform DDoS attacks.
During code analysis of the Mukashi malware, the security researchers found that, despite differences, it is largely consistent with the Mirai botnet. The Mirai botnet crippled large parts of the Internet or slowed down websites through DDoS attacks in late 2016. The Mirai source code was published online, giving cybercriminals the tools to build a botnet.
Zyxel patched the vulnerability affecting network attached storage and firewall products last month, and it is strongly recommended that all Zyxel users install the firmware update to protect the devices from Mukashi attacks.