Mirai Descendant, Mukashi, Delivers DDoS Attacks


Researchers at Palo Alto Networks recently discovered a new form of malware, dubbed Mukashi, that can be used to create botnets able to launch damaging distributed denial of service (DDoS) attacks. The malware, a descendant of the infamous Mirai botnet code, leverages a remote code execution vulnerability in Zyxel network-attached storage (NAS) products. The Mirai code was first unleashed in September of 2016, to launch a volumetric (635 Gbps) DDoS attack on the website of noted security researcher Brian Krebs. Shortly after that attack, the Mirai source code was released online and other cybercriminals built — and used—variations of it to launch additional attacks, such as the DDoS attack on Dyn in late October of that year.

Action Steps to Take

According to ZDNet, “Zyxel patched the vulnerability affecting Network Attached Storage and firewall products last month and it’s recommended that all Zyxel users download the firmware update in order to protect devices from Mukashi attacks.” Zyxel device operators should install security updates as soon as possible.  They should also apply complex passwords, to prevent the brute-force login techniques that use different combinations of default credentials to login to their Zyxel network-attached storage devices – indeed, this is sound advice for any network-enabled devices, especially those that make up the Internet of Things (IoT).

Presumably, there are tens of thousands of such storage devices installed worldwide. And, because it is highly unlikely that every organization using them will see, or follow, the recommendations to protect them, it is inevitable that many other organizations will become the victims of DDoS attacks powered by the Mukashi malware. This new tool in the cybercriminal’s arsenal is just another example of why this serious threat to business continuity is likely to continue unabated.  So, it is all the more important for organizations to beef up their DDoS defenses with an always-on, automatic, real-time DDoS mitigation solution.

A botnet powered by the Mukashi code could conceivably be used for a single massive volumetric attack that overwhelms a significant portion of the Internet or, as is more common, to launch many much smaller attacks against specific targets. It is worth noting that the vast majority of DDoS attacks are, in fact, not massive hundreds-of-gigabits or terabit scale onslaughts; Corero’s Full Year 2019 DDoS Trends report shows that over 98% of DDoS Attacks in 2019 were less than 10Gbps. And, a DDoS attack need not be massive in scale to prevent access to, or degrade availability of, a business-critical web application or website. Even with protection in place, many legacy DDoS mitigation tools are not able to detect smaller, sub-saturating, attacks or, react fast enough to the ones they can detect to avoid the damage they cause. With this constantly evolving DDoS threat landscape and increasing reliance on the Internet to conduct business, it’s more important than ever to implement protection that instantly detects and blocks any potential DDoS attacks, automatically.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.