A new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage (NAS) devices in an attempt to remotely infect and control vulnerable machines. Called "Mukashi," the new variant of the malware employs brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall products to take control of the devices and add them to a network of infected bots that can be used to carry out Distributed Denial of Service (DDoS) attacks.
The Mirai botnet, since its discovery in 2016, has been linked to a string of large-scale DDoS attacks, including one against DNS service provider Dyn in October 2016, causing major internet platforms and services to remain inaccessible to users in Europe and North America. Just like other Mirai variants, Mukashi operates by scanning the Internet for vulnerable IoT devices like routers, NAS devices, security cameras, and digital video recorders (DVRs), looking for potential hosts that are protected only by factory-default credentials or commonly-used passwords to co-opt them into the botnet.
Meanwhile, at least three botnet operators have secretly exploited three zero-day vulnerabilities in LILIN digital video recorders (DVRs) for more than six months before the vendor finally patched the bugs last month, in February 2020. It will most likely take months -- if not years -- for the patch to make it to some devices. If there's an Achilles' heel to today's IoT landscape then it's the fact that there's no easy one-button-push to update firmware on most devices. Once shipped to customers, the vast majority of these systems remain unpatched until decommissioned.