0day Exploit in Zyxel Network Storage Devices CVE-2020-9054

[BerndH]

@shv

Thanks for your prompt assistance!
No, I could not update the tweaks package.
So I copied 20200310zypkg035 manually to the NAS. After some trials/restarts it finally seems to work - the package Tweaks is now shown as 20200310zypkg035 (MetaRepository still shown as before as 20181001zypkg015!) and includes the link to the vulnerability tweak.

The POC does not shut down the NAS any longer!

Is there a way to verify/proof whether the NAS had been tampered (exploiting the vulnerability) in the interim period?

[Mijzelf]

Unfortunately not. There is no log or something like that. So you can only be sure it has been tampered when bad things happen, but you can't reverse that.

If you know which processes are supposed to run, you can have a look at the process list, but that is not waterproof. Theoretically a binary could be installed in such a way that it's only started on boot, or when the recyclebin is emptied, or...

I don't think there is such sophisticated malware around, the only reports I have read are about ransomware, which make themselves know within a few days.

[shv]

I think Emotet is just for PCs and not for NAS devices. Emotet is the so called king of malware.
https://www.heise.de/ct/artikel/Was-Emo ... 65958.html and
https://www.heise.de/ct/artikel/Trojane ... 37807.html

[BerndH]

Anyway, thanks a lot for your help to both of you!
Think we can close this topic for the time being.