Rewterz Threat Alert – Koadic RAT – Multistage Malware Distributed through COVID’19 Document
March 20, 2020Rewterz Threat Alert – Banking technology FinTech Firm Finastra hit by ransomware
March 21, 2020Severity
High
Analysis Summary
CVE-2020-9054
A remote code execution vulnerability was identified in the weblogin.cgi program used in Zyxel NAS and firewall products. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection.
New Mirai Variant – Mukashi
Mukashi is a bot that scans the TCP port 23 of random hosts, brute forces the logins using different combinations of default credentials, and reports the successful login attempt to its C2 server. Like other Mirai variants, Mukashi is also capable of receiving C2 commands and launching DDoS attacks.
When it’s executed, Mukashi prints the message “Protecting your device from further infections.” to the console. The malware then proceeds to change its process name to dvrhelper, suggesting Mukashi may inherit certain traits from its predecessor.
Vulnerability Analysis
The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote ‘ to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.
Impact
- Remote code execution
- Credential theft
- Exposure of sensitive information
Affected Vendors
Zyxel NAS (Network Attached Storage)
Affected Products
NAS products running firmware version 5.21 and earlier
Indicators of Compromise
SHA-256
- 3e8af889a10a7c8efe6a0951a78f3dbadae1f0aa28140552efa0477914afd4fd
- 213cdcf6fd5ca833d03d6f5fa0ec5c7e5af25be8c140b3f2166dccccf1232c3e
- 4f1fe9dc48661efe2c21b42bd5779f89db402b5caa614939867508fa6ba22cd6
- 0f7fb7fb27ce859b8780502c12d16611b3a7ae72086142a4ea22d5e7eaa229bc
- 9a983a4cee09e77100804f6dae7f678283e2d2ff32d8dbcf356ef40dcdff8070
- 0f7fb7fb27ce859b8780502c12d16611b3a7ae72086142a4ea22d5e7eaa229bc
- 9a983a4cee09e77100804f6dae7f678283e2d2ff32d8dbcf356ef40dcdff8070
- 060547ee0be2d5e588e38d1ad11e1827ba6ce7b443b67e78308571e9d455d79b
- 940fa7d9ef770a3e70c5f227a0ad1aaac88071f3c4879a2c92e7c155d9626d73
- 514e5ca58df6ba22708046cd034af05e3a88f80da893e4d7e2124137086468b0
- af6a51c012062078d6fcf112b3e4239eb029fc895f5f74fb5e40eb0b71fe67ce
- 3ae3b155c274edb389fe9d06bf9349bfd829c0e55db34238c3a8f53da16b4d98
- 5060a00c235566726cdf0e0a07f022cdbf2f59cff636f37b19576bf98ea70027
- 906d945b00465b1b7f6a828eb47edc0e875e745b7638258afbe8032d4c2d6ac6
- 27f26c710b4d461396749acfbe8fadc57ba19dcb70b1e1890599ca938c0d6aec
- 162add056aef065ff0e19242ca8674698586b295b2f75c03f9f22a14f6e16ff3
- 948776a3c50a8e6a2f58f27f29095b63f7bbc0f8b5aeb08c6a4ba27558b13a0d
- 941e2833d313d33e53db5416718ba4c68609ac0537d3f16bf600c0bee2f562d0
- 8473645820c828758a7655730ab6bd6967c97872687f4b6d5eff769387f59059
- 1a4efe25a8f660e44abdb82d84912cf24db7eabfe9ad3c4c12080ca05636d73b
- dbcd46dabd2fbddb40e17c2f7790950086b0108370d2448ff5fe407a9cd83103
- 751b0fe6616034a72235c7d3021e3f54f0634b9b5b29fed56cd44843389da0e9
- 5a69a7c079555b53263a64dc0757f2168e255b29bc17ab846aceb2f8d08f3830
- 3061fd4a4a57e8c1948c30728f82a82213a1907ee8fccb7037dd1649e1c51e0e
- 47f9e2e65b17b937bc32fc6bb5bfbbb0efd2b86305b9d29a976512cbcc049d28
Remediation
Update to latest firmware
https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml