Request a Demo
Rewterz
Rewterz Threat Alert – Koadic RAT – Multistage Malware Distributed through COVID’19 Document
March 20, 2020
Rewterz
Rewterz Threat Alert – Banking technology FinTech Firm Finastra hit by ransomware
March 21, 2020

Rewterz Threat Alert – Mirai variant – Mukashi Targeting Zyxel Network-Attached Storage Devices

Severity

High

Analysis Summary

CVE-2020-9054

A remote code execution vulnerability was identified in the weblogin.cgi program used in Zyxel NAS and firewall products. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection.

New Mirai Variant – Mukashi

Mukashi is a bot that scans the TCP port 23 of random hosts, brute forces the logins using different combinations of default credentials, and reports the successful login attempt to its C2 server. Like other Mirai variants, Mukashi is also capable of receiving C2 commands and launching DDoS attacks.

When it’s executed, Mukashi prints the message “Protecting your device from further infections.” to the console. The malware then proceeds to change its process name to dvrhelper, suggesting Mukashi may inherit certain traits from its predecessor.

Figure-3.-Scanning-TCP-port-23-of-random-hosts.png

Vulnerability Analysis

The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote ‘ to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.

Figure-2.-Shell-script-that-downloads-and-launches-the-bots.png

Impact

  • Remote code execution
  • Credential theft
  • Exposure of sensitive information

Affected Vendors

Zyxel NAS (Network Attached Storage)

Affected Products

NAS products running firmware version 5.21 and earlier

Indicators of Compromise

SHA-256

  • 3e8af889a10a7c8efe6a0951a78f3dbadae1f0aa28140552efa0477914afd4fd
  • 213cdcf6fd5ca833d03d6f5fa0ec5c7e5af25be8c140b3f2166dccccf1232c3e
  • 4f1fe9dc48661efe2c21b42bd5779f89db402b5caa614939867508fa6ba22cd6
  • 0f7fb7fb27ce859b8780502c12d16611b3a7ae72086142a4ea22d5e7eaa229bc
  • 9a983a4cee09e77100804f6dae7f678283e2d2ff32d8dbcf356ef40dcdff8070
  • 0f7fb7fb27ce859b8780502c12d16611b3a7ae72086142a4ea22d5e7eaa229bc
  • 9a983a4cee09e77100804f6dae7f678283e2d2ff32d8dbcf356ef40dcdff8070
  • 060547ee0be2d5e588e38d1ad11e1827ba6ce7b443b67e78308571e9d455d79b
  • 940fa7d9ef770a3e70c5f227a0ad1aaac88071f3c4879a2c92e7c155d9626d73
  • 514e5ca58df6ba22708046cd034af05e3a88f80da893e4d7e2124137086468b0
  • af6a51c012062078d6fcf112b3e4239eb029fc895f5f74fb5e40eb0b71fe67ce
  • 3ae3b155c274edb389fe9d06bf9349bfd829c0e55db34238c3a8f53da16b4d98
  • 5060a00c235566726cdf0e0a07f022cdbf2f59cff636f37b19576bf98ea70027
  • 906d945b00465b1b7f6a828eb47edc0e875e745b7638258afbe8032d4c2d6ac6
  • 27f26c710b4d461396749acfbe8fadc57ba19dcb70b1e1890599ca938c0d6aec
  • 162add056aef065ff0e19242ca8674698586b295b2f75c03f9f22a14f6e16ff3
  • 948776a3c50a8e6a2f58f27f29095b63f7bbc0f8b5aeb08c6a4ba27558b13a0d
  • 941e2833d313d33e53db5416718ba4c68609ac0537d3f16bf600c0bee2f562d0
  • 8473645820c828758a7655730ab6bd6967c97872687f4b6d5eff769387f59059
  • 1a4efe25a8f660e44abdb82d84912cf24db7eabfe9ad3c4c12080ca05636d73b
  • dbcd46dabd2fbddb40e17c2f7790950086b0108370d2448ff5fe407a9cd83103
  • 751b0fe6616034a72235c7d3021e3f54f0634b9b5b29fed56cd44843389da0e9
  • 5a69a7c079555b53263a64dc0757f2168e255b29bc17ab846aceb2f8d08f3830
  • 3061fd4a4a57e8c1948c30728f82a82213a1907ee8fccb7037dd1649e1c51e0e
  • 47f9e2e65b17b937bc32fc6bb5bfbbb0efd2b86305b9d29a976512cbcc049d28

Remediation

Update to latest firmware

https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml