New Mirai Variant Targets Zyxel Network-Attached Storage Devices (Mar 19, 2020)
A vulnerability registered as “CVE-2020-9054”, will allow for threat actors to execute remote arbitrary code on vulnerable Zyxel network attached storage (NAS) drives. This vulnerability has been seen being exploited to deploy a new Mirai bot variant called Mukashi. Mukashi will scan port 23 of hosts, brute forcing the login with different combinations of credentials until it is successful. Mukashi will send the successful credential pairing back to its command and control (C2) server. Zyxel products at risk to this vulnerability are those running firmware versions up to 5.21.
Recommendation: The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit. It is also advised to create long complex password credentials for devices as brute forcing attempts would take too long.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.