Threat actors are actively targeting and exploiting a pair of security vulnerabilities affecting around 92,000 D-Link network-attached storage (NAS) devices that are exposed on the internet.
These vulnerabilities, known as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), impact older D-Link products that have reached end-of-life (EoL) status. D-Link has stated in an advisory that it will not release a patch and advises customers to replace these devices.
“The vulnerability lies within the nas_sharing.cgi uri, due to a combination of hard-coded credentials and a command injection flaw via the system parameter,” explained security researcher netsecfish in late March 2024.
Exploiting these flaws could result in arbitrary command execution on the affected D-Link NAS devices, allowing threat actors to access sensitive data, change system settings, or trigger a denial-of-service (DoS) attack.
The specific models affected include:
- DNS-320L
- DNS-325
- DNS-327L
- DNS-340L
According to GreyNoise, attackers have been trying to use these vulnerabilities to distribute the Mirai botnet malware, enabling them to take control of the compromised D-Link devices.
In the absence of a patch, the Shadowserver Foundation suggests either disconnecting these devices from the internet or blocking remote access to prevent potential attacks.
This development highlights the evolving tactics of Mirai botnets, with threat actors continuously exploiting new vulnerabilities to compromise more devices. Palo Alto Networks Unit 42 has also revealed an increase in malware-initiated scanning attacks to identify vulnerabilities in target networks.
According to Unit 42, some of these scanning attacks originate from compromised machines, enabling attackers to cover their tracks, evade geofencing, expand botnets, and use compromised devices to launch a higher volume of scanning requests.
