Hackers are actively exploiting a pair of recently discovered vulnerabilities to remotely commandeer network-attached storage devices manufactured by D-Link, researchers said Monday.
Roughly 92,000 devices are vulnerable to the remote takeover exploits, which can be remotely transmitted by sending malicious commands through simple HTTP traffic.
The researcher said they were making the threat public because D-Link said it had no plans to patch the vulnerabilities, which are present only in end-of-life devices, meaning they are no longer supported by the manufacturer.
On Monday, researchers said their sensors began detecting active attempts to exploit the vulnerabilities starting over the weekend.
Greynoise, one of the organizations reporting the in-the-wild exploitation, said in an email that the activity began around 02:17 UTC on Sunday.
The attacks attempted to download and install one of several pieces of malware on vulnerable devices depending on their specific hardware profile.
One such piece of malware is flagged under various names by 40 endpoint protection services.
Security organization Shadowserver has also reported seeing scanning or exploits from multiple IP addresses but didn't provide additional details.
Cgi programming interface of the vulnerable devices, provide an ideal recipe for remote takeover.
The first, tracked as CVE-2024-3272 and carrying a severity rating of 9.8 out of 10, is a backdoor account enabled by credentials hardcoded into the firmware.
The second is a command-injection flaw tracked as CVE-2024-3273 and has a severity rating of 7.3.
It can be remotely activated with a simple HTTP GET request.
Netsecfish, the researcher who disclosed the vulnerabilities, demonstrated how a hacker could remotely commandeer vulnerable devices by sending a simple set of HTTP requests to them.
In the exploit example below, the text inside the first red rectangle contains the hardcoded credentials-username messagebus and an empty password field-while the next rectangle contains a malicious command string that has been base64 encoded.
According to netsecfish, Internet scans found roughly 92,000 devices that were vulnerable.
The best defense against these attacks and others like them is to replace hardware once it reaches end of life.
Barring that, users of EoL devices should at least ensure they're running the most recent firmware.
D-Link provides this dedicated support page for legacy devices for owners to locate the latest available firmware.
Another effective protection is to disable UPnP and connections from remote Internet addresses unless they're absolutely necessary and configured correctly.
This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 09 Apr 2024 15:28:05 +0000