Mukashi botnet takes advantage of a known vulnerability – which users are being urged to patch before their product is abused to take part in DDoS attacks. A new variant of Mirai malware is targeting a recently uncovered critical vulnerability in network-attached storage devices and exploiting them to rope the machines into an Internet of Things botnet.

Dubbed Mukashi, the malware uses brute force attacks using different combinations of default credentials in an effort to log into Zyxel network-attached storage products, take control of them and add them to a network of devices that can be used to conduct Distributed Denial of Service (DDoS) attacks.


  • Windows, Ubuntu, macOS, VirtualBox fall at Pwn2Own hacking contest
  • COVID-19: With everyone working from home, VPN security has now become paramount
  • APT28 has been scanning vulnerable email servers for more than a year
  • Scam, spam and phishing texts: How to spot SMS fraud and stay safe
  • Best security keys in 2020: Hardware-based two-factor authentication for online protection
  • How to protect yourself from mobile malware attacks (ZDNet YouTube)
  • Best home security of 2020: Professional monitoring and DIY (CNET)
  • How to set up secure credential storage for Docker (TechRepublic)

Mukashi takes advantage of a vulnerability (CVE-2020-9054) in Zyxel NAS devices running firmware version 5.21 that allows remote attackers to execute code – and according to researchers at Palo Alto Networks, cyber criminals are actively attempting to exploit the attack in the wild.

The malware has been scanning TCP ports for potential targets since at least March 12, launching brute force attacks in an effort to bypass common username and password combinations as it goes. Once the login has been bypassed, Mukashi connects with a command and control server that can issue orders to conduct DDoS attacks.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

While there are some differences in the Mukashi code, it’s capabilities are almost exactly the same as Mirai – that means it has the potential to conduct large scale DDoS attacks against selected targets.

The Mirai botnet infamously took down large sections of the internet in late 2016, cutting off or slowing down large numbers of popular online services for millions of users. The source code was released online, providing anyone who wants to build a malicious botnet with the tools to do so – and cyber criminals have actively taken advantage of this.

Zyxel patched the vulnerability affecting Network Attached Storage and firewall products last month and it’s recommended that all Zyxel users download the firmware update in order to protect devices from Mukashi attacks.

A common tactic by cyber criminals is to take advantage of known exploits that users haven’t patched, so it’s important to apply the updates as soon as they’re available.

Researchers also recommend that users apply complex passwords to devices to help prevent brute force attacks taking advantage of common or weak passwords to help control of products and accounts.