• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Koadic RAT – Multistage Malware Distributed through COVID’19 Document
March 20, 2020
Rewterz Threat Alert – Banking technology FinTech Firm Finastra hit by ransomware
March 21, 2020

Rewterz Threat Alert – Mirai variant – Mukashi Targeting Zyxel Network-Attached Storage Devices

March 21, 2020

Severity

High

Analysis Summary

CVE-2020-9054

A remote code execution vulnerability was identified in the weblogin.cgi program used in Zyxel NAS and firewall products. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection.

New Mirai Variant – Mukashi

Mukashi is a bot that scans the TCP port 23 of random hosts, brute forces the logins using different combinations of default credentials, and reports the successful login attempt to its C2 server. Like other Mirai variants, Mukashi is also capable of receiving C2 commands and launching DDoS attacks.

When it’s executed, Mukashi prints the message “Protecting your device from further infections.” to the console. The malware then proceeds to change its process name to dvrhelper, suggesting Mukashi may inherit certain traits from its predecessor.

Figure-3.-Scanning-TCP-port-23-of-random-hosts.png

Vulnerability Analysis

The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote ‘ to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.

Figure-2.-Shell-script-that-downloads-and-launches-the-bots.png

Impact

  • Remote code execution
  • Credential theft
  • Exposure of sensitive information

Affected Vendors

Zyxel NAS (Network Attached Storage)

Affected Products

NAS products running firmware version 5.21 and earlier

Indicators of Compromise

SHA-256

  • 3e8af889a10a7c8efe6a0951a78f3dbadae1f0aa28140552efa0477914afd4fd
  • 213cdcf6fd5ca833d03d6f5fa0ec5c7e5af25be8c140b3f2166dccccf1232c3e
  • 4f1fe9dc48661efe2c21b42bd5779f89db402b5caa614939867508fa6ba22cd6
  • 0f7fb7fb27ce859b8780502c12d16611b3a7ae72086142a4ea22d5e7eaa229bc
  • 9a983a4cee09e77100804f6dae7f678283e2d2ff32d8dbcf356ef40dcdff8070
  • 0f7fb7fb27ce859b8780502c12d16611b3a7ae72086142a4ea22d5e7eaa229bc
  • 9a983a4cee09e77100804f6dae7f678283e2d2ff32d8dbcf356ef40dcdff8070
  • 060547ee0be2d5e588e38d1ad11e1827ba6ce7b443b67e78308571e9d455d79b
  • 940fa7d9ef770a3e70c5f227a0ad1aaac88071f3c4879a2c92e7c155d9626d73
  • 514e5ca58df6ba22708046cd034af05e3a88f80da893e4d7e2124137086468b0
  • af6a51c012062078d6fcf112b3e4239eb029fc895f5f74fb5e40eb0b71fe67ce
  • 3ae3b155c274edb389fe9d06bf9349bfd829c0e55db34238c3a8f53da16b4d98
  • 5060a00c235566726cdf0e0a07f022cdbf2f59cff636f37b19576bf98ea70027
  • 906d945b00465b1b7f6a828eb47edc0e875e745b7638258afbe8032d4c2d6ac6
  • 27f26c710b4d461396749acfbe8fadc57ba19dcb70b1e1890599ca938c0d6aec
  • 162add056aef065ff0e19242ca8674698586b295b2f75c03f9f22a14f6e16ff3
  • 948776a3c50a8e6a2f58f27f29095b63f7bbc0f8b5aeb08c6a4ba27558b13a0d
  • 941e2833d313d33e53db5416718ba4c68609ac0537d3f16bf600c0bee2f562d0
  • 8473645820c828758a7655730ab6bd6967c97872687f4b6d5eff769387f59059
  • 1a4efe25a8f660e44abdb82d84912cf24db7eabfe9ad3c4c12080ca05636d73b
  • dbcd46dabd2fbddb40e17c2f7790950086b0108370d2448ff5fe407a9cd83103
  • 751b0fe6616034a72235c7d3021e3f54f0634b9b5b29fed56cd44843389da0e9
  • 5a69a7c079555b53263a64dc0757f2168e255b29bc17ab846aceb2f8d08f3830
  • 3061fd4a4a57e8c1948c30728f82a82213a1907ee8fccb7037dd1649e1c51e0e
  • 47f9e2e65b17b937bc32fc6bb5bfbbb0efd2b86305b9d29a976512cbcc049d28

Remediation

Update to latest firmware

https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.