Threat actors are actively scanning and exploiting a pair of security flaws said to affect up to 92,000 D-Link network-attached storage (NAS) devices exposed to the internet.
Tracked as CVE-2024-3272 (CVSS Score: 9.8) e CVE-2024-3273 (CVSS score: 7.3), vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in a notice, said it does not plan to ship a patch and is instead urging customers to replace it.
“The vulnerability resides in the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials and a command injection vulnerability via system parameter,” the security researcher said in an article known as netsecfish. end of March 2024.
Successful exploitation of the flaws could lead to arbitrary command execution on affected D-Link NAS devices, giving threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial of service (DoS) condition ).
The problems affect the following models:
- DNS-320L
- DNS-325
- DNS-327L e
- DNS-340L
Threat intelligence firm GreyNoise said it observed attackers attempting to weaponize the flaws to spread the Mirai botnet malware, thus making it possible to remotely control D-Link devices.
In the absence of a solution, the Shadowserver Foundation is recommend that users take these devices offline or have remote access to the firewalled appliance to mitigate potential threats.
The findings once again demonstrate that Mirai botnets continually adapt and incorporate new vulnerabilities into their repertoire, with threat actors rapidly developing new variants designed to abuse these issues to breach as many devices as possible.
With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks’ Unit 42 revealed that threat actors are increasingly switching to Malware-initiated scanning attacks to report vulnerabilities in targeted networks.
“Some scanning attacks originate from benign networks possibly driven by malware on infected machines,” the company said.
“By launching scanning attacks from compromised hosts, attackers can achieve the following: cover their tracks, bypass geofencing, expand botnets, [and] exploiting the resources of these compromised devices to generate a higher volume of scan requests than they could achieve using their own devices alone.”