Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices.
Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status.
D-Link, in an advisory, said it does not plan to ship a patch and instead urges customers to replace them.
Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial-of-service (DoS) condition.
The issues affect the following models – DNS-320L DNS-325 DNS-327L, and DNS-340L Threat intelligence firm GreyNoise said it observed attackers attempting to weaponize the flaws to deliver the Mirai botnet malware, thus making it possible to remotely commandeer the D-Link devices.
In the absence of a fix, the Shadowserver Foundation is recommending that users either take these devices offline or have remote access to the appliance firewalled to mitigate potential threats.
With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks Unit 42 revealed that threat actors are increasingly switching to malware-initiated scanning attacks to flag vulnerabilities in target networks.
“Some scanning attacks originate from benign networks likely driven by malware on infected machines,” the company said.
It is estimated that up to 92,000 D-Link network-attached storage (NAS) devices that are exposed to the internet are vulnerable to two security flaws that threat actors are actively searching for and taking advantage of.
These vulnerabilities, identified as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), affect D-Link’s legacy products that are no longer in production. In a warning, D-Link stated that it will not be shipping a patch and that users should replace them instead.
Security researcher known only as netsecfish stated in late March 2024 that “the vulnerability lies within the nas_sharing . cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter.”.
If the vulnerabilities are successfully exploited, threat actors may be able to execute arbitrary commands on the impacted D-Link NAS devices, which would allow them to access private data, change system settings, or even cause a denial-of-service (DoS) scenario.
The following models are impacted by the issues.
DNS-320L.
DNS-325.
DNS-327L, as well as.
340L DNS.
GreyNoise, a threat intelligence firm, reported that it had seen attempts by attackers to weaponize the vulnerabilities in order to distribute the Mirai botnet malware, which would enable remote control of the D-Link devices.
The Shadowserver Foundation advises users to either take these devices offline or access the appliance remotely through a firewall in order to reduce potential threats, in the event that a fix is not available.
The results show that threat actors are constantly evolving new versions of Mirai botnets that are intended to take advantage of these flaws in order to compromise as many devices as they can. This is how the botnets are constantly adapting and adding new vulnerabilities to their repertoire.
The development coincides with the fact that Palo Alto Networks Unit 42 revealed that threat actors are increasingly turning to malware-initiated scanning attacks to flag vulnerabilities in target networks. Financially motivated and nation-state-linked attackers are increasingly targeting network devices.
According to the company, “malware on infected machines likely drives some scanning attacks from benign networks.”.
Attackers can cover their tracks, get around geofencing, grow botnets, and increase the volume of scanning requests they generate by initiating scanning attacks from compromised hosts by utilizing these devices’ resources. This is in addition to the advantages that come with using compromised devices for other purposes. “.
