Threat actors are actively exploiting critical vulnerabilities affecting approximately 92,000 internet-exposed D-Link network-attached storage (NAS) devices, leaving them susceptible to malware attacks.
Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), these flaws impact legacy D-Link products that have reached end-of-life (EoL) status. Despite this, D-Link has announced that it does not intend to release a patch and advises customers to replace these devices.
Security researcher, known as netsecfish, revealed in late March 2024 that the vulnerability resides within the nas_sharing.cgi uri, stemming from two primary issues: a backdoor enabled by hardcoded credentials and a command injection vulnerability via the system parameter.
Successful exploitation of these vulnerabilities could result in arbitrary command execution on the affected D-Link NAS devices. This would grant threat actors the capability to access sensitive information, modify system configurations, or trigger denial-of-service (DoS) incidents.
The affected models include DNS-320L, DNS-325, DNS-327L, and DNS-340L. GreyNoise, a threat intelligence firm, has reported attempts by attackers to exploit these flaws to distribute the Mirai botnet malware, potentially allowing them to remotely take control of the compromised D-Link devices.
In the absence of a patch, the Shadowserver Foundation recommends users either disconnect these devices from the internet or restrict remote access to the appliance through firewall configurations to mitigate potential threats.
This discovery underscores the ongoing evolution of Mirai botnets, as threat actors rapidly adapt and incorporate new vulnerabilities to breach an increasing number of devices. Palo Alto Networks Unit 42 has revealed that threat actors are increasingly utilizing malware-initiated scanning attacks to identify vulnerabilities within target networks.
“Scanning attacks originating from benign networks, likely propelled by malware on compromised machines, serve various purposes, including covering tracks, evading geofencing, enlarging botnets, and harnessing the resources of compromised devices to escalate scanning volume,” stated the company.
As network devices emerge as prime targets for financially motivated and nation-state-linked attackers, it is imperative for organizations to remain vigilant and implement robust security measures to safeguard against evolving threats.