New version of Mirai malware focuses on NAS devices

Get a free Techzine subscription!

A new variant of the Mirai malware focuses on a vulnerability in network attached storage (NAS) and uses that vulnerability to integrate the devices into an Internet of Things (IoT) botnet.

The new version of the malware, named Mukashi, uses brute force attacks using different combinations of standard credentials. This in an attempt to log into Zyxel-based storage devices in order to control them and then add them to a network of devices. The resulting botnet can be used to carry out DDoS attacks.

Mukashi leverages the vulnerability code CVE-2020-9054 in Zyxel NAS devices, with firmware version 5.21. Attackers can remotely execute code. According to Palo Alto Networks researchers, cybercriminals are currently actively trying to exploit the vulnerability.

Procedure

The malware has been active since March 12 at the latest. Attackers scan TCP ports for potential targets and then launch brutal force attacks in an attempt to bypass common username and password combinations. Once that login is bypassed, the malware connects to a command & control server that can issue commands to carry out DDoS attacks.

Although there are some differences with Mukashi’s code, the capabilities are almost exactly the same as with Mirai. The Mirai botnet was able to shut down large parts of the internet in 2016, making large online services inaccessible or slow for millions of users.

Zyxel already patched the vulnerability last month. It is therefore recommended that all users download the firmware update to protect their devices from Mukashi attacks.