Cybersecurity experts have raised alarms about active exploitation attempts targeting two significant vulnerabilities in D-Link network-attached storage (NAS) devices. These flaws, identified as CVE-2024-3272 (with a critical severity score of 9.8) and CVE-2024-3273 (with a severity score of 7.3), pose a threat to an estimated 92,000 D-Link NAS devices that are accessible via the internet. The affected models are part of D-Link's legacy product line, which includes the DNS-320L, DNS-325, DNS-327L, and DNS-340L. These products have already reached their end-of-life (EoL) phase, and D-Link has announced it will not release any patches for these vulnerabilities, advising customers to consider replacing their devices.

The vulnerabilities were detailed by a security researcher known as netsecfish in late March 2024. They explained that the flaws are located within the nas_sharing.cgi URI. The vulnerabilities arise from two primary issues: the presence of hard-coded credentials that create a backdoor, and a command injection vulnerability in the system parameter. Exploiting these vulnerabilities could enable attackers to execute commands arbitrarily, potentially leading to unauthorized access to sensitive data, modification of system settings, or even initiating a denial-of-service (DoS) attack.

GreyNoise, a threat intelligence firm, has observed attempts by attackers to exploit these vulnerabilities to distribute the Mirai botnet malware. This would allow them to remotely control the affected D-Link devices. In light of the absence of an official fix, the Shadowserver Foundation has advised users to either disconnect these devices from the internet or implement firewall restrictions on remote access to mitigate the risk of exploitation.

These incidents underscore the ongoing threat posed by Mirai botnets, which are continually evolving to exploit new vulnerabilities. This adaptability enables attackers to develop new variants aimed at compromising as many devices as possible. Furthermore, Palo Alto Networks’ Unit 42 highlights a trend among threat actors towards utilizing malware-initiated scanning attacks. Such tactics enable attackers to identify vulnerabilities within target networks discreetly, allowing them to mask their activities, bypass geographic restrictions, expand their botnet networks, and use the resources of compromised devices to increase the volume and efficiency of their scanning operations.