SBN

Mukashi malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction

Learning from the past can be an important part of future success in any endeavor, including cyberattacks. Attack groups observe this concept and apply it when they create new attack campaigns before they are released into the wild. 

Mukashi is an example of a malware that uses what has worked well for attackers in the past, wrapped up as a more narrowly focused variant. This article will detail the Mirai variant known as Mukashi and explore what it is, how it works and how to prevent it. Although Mukashi is fueled by the successes of Mirai, take heart — it can be shut down in its tracks just like its predecessor. 

What is Mukashi?

Mukashi is a variant of the Mirai malware family, which is known for targeting IoT devices. The original Mirai was described as a classic case of racketeering: the creators infected potential clients with Mirai and then would offer their services to remove the threat. The malware would scan IoT devices on a network for vulnerabilities and enslave the vulnerable devices (especially those that were still using their default factory credentials).

What makes Mukashi different from Mirai is that Mukashi exploits a specific vulnerability in one certain vendor’s network storage device. 

In February 2020, a remote code execution vulnerability was discovered in Zyxel network-attached storage devices (NAS), CVE-2020-9054, as a zero-day vulnerability. It has been given a CVE rating of 9.8 and is regarded as being critical. According to Krebs on Security, there are around 100 million Zyxel devices deployed around the world, and Zyxel devices with a firmware version of 5.21 or less are vulnerable.

Mukashi takes advantage of CVE-2020-9054 to turn certain Zyxel NAS devices into an unwitting botnet of zombies. This vulnerability was first discovered by Palo (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/sEP8l30SRpU/