April 9, 2024 at 02:15AM
Security flaws in legacy D-Link NAS devices are being exploited by threat actors, impacting over 92,000 internet-exposed devices. The vulnerabilities allow arbitrary command execution, potentially leading to unauthorized access and denial-of-service conditions. No patches are expected, and users are advised to replace affected devices or firewall remote access. Attackers are incorporating these flaws into the Mirai botnet.
Key takeaways from the meeting notes:
1. Threat actors are actively exploiting vulnerabilities (CVE-2024-3272 and CVE-2024-3273) affecting legacy D-Link NAS devices, prompting D-Link to recommend device replacement instead of patching.
2. The vulnerabilities are associated with the nas_sharing.cgi URI, featuring backdoor access and a command injection vulnerability, potentially leading to arbitrary command execution and unauthorized access to sensitive data.
3. Specific D-Link models like DNS-320L, DNS-325, DNS-327L, and DNS-340L are affected by these vulnerabilities.
4. GreyNoise observed attempts to use the vulnerabilities to distribute the Mirai botnet malware, enabling attackers to remotely control compromised D-Link devices.
5. The Shadowserver Foundation advises taking affected devices offline or firewalling remote access in the absence of a fix, while Palo Alto Networks Unit 42 notes an increase in malware-initiated scanning attacks targeting network vulnerabilities.
6. The evolving threat landscape underlines the importance of staying updated on emerging threats, as indicated by the increasing adaptation of Mirai botnets and scanning attacks originating from compromised hosts.
Would you like a detailed report or analysis on any specific aspect mentioned in the meeting notes?