A remote code execution vulnerability in Zyxel network attached storage (NAS) devices that was uncovered back in February 2020 is being abused to infect unpatched devices with Mukashi, a descendant of the infamous Mirai internet of things (IoT) botnet.
The critically rated vulnerability, CVE-2020-9054, is considered relatively trivial to exploit and has already been extensively weaponised. This is in spite of Zyxel having acted entirely responsibly through the disclosure process, and having made patches available to affected users.
Ken Hsu, Zhibin Zhang and Ruchna Nigam of Palo Alto Networks’ Unit42 threat research unit have been monitoring the spread of Mukashi, which was initially discovered via the sale of its exploit code as a zero day, and is allegedly being used by a group of cyber criminals who are trying to fold the exploit into Emotet.
“Mukashi brute forces the logins using different combinations of default credentials, while informing its command and control [C2] server of the successful login attempts,” said Hsu and his colleagues in a blog detailing their research.
“Multiple, if not all, Zyxel NAS products running firmware versions up to 5.21 are vulnerable to this pre-authentication command injection vulnerability. The vendor advisory is also available.”
The core vulnerability hinges on an executable, weblogin.cgi, that does not properly sanitise username parameters during authentication. As a result of this, attackers can use a single quote mark to close the string and a semicolon to concatenate arbitrary commands and achieve command execution. As weblogin.cgi accepts both HTTP GET and POST requests, attackers can embed the malicious payload in an HTTP request and achieve code execution.
Hsu said Palo Alto observed the first Mukashi-related exploit on 12 March 2020. In this case, the attacker attempted to download a shell script, execute it to download different architectures of Mirai bot, and remove the evidence from a vulnerable device.
Mukashi goes to work by first scanning the TCP port 23 of random hosts, brute forcing a login and reporting successful logins to its C2 server. Like other descendants of Mirai, it can receive C2 commands to launch distributed denial of service (DDoS) attacks.
Hsu’s team has given extensive technical details of how Mukashi works, as well as indicators of compromise (IoCs), on the Unit 42 website.
“Updating the firmware is highly recommended to keep the attackers at bay,” said the researchers. “The latest version of the firmware is available for download. Complex login passwords are also advised to prevent brute forcing.”
Palo Alto added that its own customers would be protected from Mukashi through its next-generation firewall products with threat prevention licences, and its WildFire product, a cloud-based virtual environment that analyses and executes unknown samples – a free version of which is available as part of the next-generation firewall subscription.
Zyxel noted that for affected NAS products that reached end of support in 2016 or before, firmware updates are no longer being provided. “We strongly recommend that users follow the workaround procedure, as detailed … to remediate the vulnerability,” it said.