Over 92,000 end-of-life D-Link network-attached storage (NAS) devices are being targeted to deploy malware designed to add the infected legacy devices to the Mirai botnet.
Threat actors are combining two vulnerabilities, CVE-2024-3272, a newly discovered backdoor and CVE-2024-3273, a command injection issue, which could allow remote code execution (RCE), potentially leading to unauthorized access to sensitive information and system configurations, or denial of service conditions.
CVE-2024-3273 affects various D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, among others. All these devices are considered end-of-life; therefore D-Link will not be developing patches to address the security vulnerability.
Furthermore, the devices do not have automatic online updating or alert delivery capabilities, so D-Link is unable to advise users of the ongoing attack. Instead, D-Link is encouraging users of the affected devices to take them offline and replace them with modern solutions for which firmware updates are available.
Source: Bleeping Computer
Identify, manage, and reduce cyber risk with your free attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
Analysis
Vulnerable internet-exposed unsupported devices are highly sought after by groups such as Mirai looking to grow their existing botnet. These newly acquired bots will likely enable future Mirai DDoS attacks and other malicious activities.
Making matters worse, other threat actors will soon jump on the bandwagon, likely conducting ransomware or data extortion attacks against vulnerable devices.
This case highlights the risks associated with using end-of-life devices that are no longer supported by their vendor. While it can be costly to replace these devices once they are no longer supported, the risk associated with both losing access to and the potential leak of the sensitive information they contain may outweigh the costs of replacing them in the first place.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances, and operating systems. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities.
Covalence users were automatically notified of any vulnerable D-Link NAS devices detected in their environment. Review these AROs as quickly as possible via the Covalence portal.
Field Effect strongly encourages all other users of affected D-Link NAS devices to cease using them as soon as possible and replace them with modern equivalents. Additionally, we recommend that users not expose NAS devices to the open internet unless there is a legitimate business need to do so. Otherwise, they should only be available to authenticated users on the same network.
Related articles
