D-Link

Image: Midjourney

​Attackers are now actively targeting over 92,000 end-of-life D-Link Network Attached Storage (NAS) devices exposed online and unpatched against a critical remote code execution (RCE) zero-day flaw.

As BleepingComputer first reported on Saturday, this security vulnerability (CVE-2024-3273) is the result of a backdoor facilitated through a hardcoded account (username "messagebus" with an empty password) and a command injection issue via the "system" parameter.

Threat actors are now chaining these two security flaws to deploy a variant of the Mirai malware (skid.x86). Mirai variants are usually designed to add infected devices to a botnet that can be used in large-scale distributed denial-of-service (DDoS) attacks.

These attacks started on Monday, as observed by cybersecurity firm GreyNoise and threat monitoring platform ShadowServer. Two weeks earlier, security researcher Netsecfish disclosed the vulnerability after D-Link informed them that these end-of-life devices would not be patched.

"The described vulnerability affects multiple D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, among others," Netsecfish explains.

"Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions."

Vulnerable D-Link NAS devices exposed online
Vulnerable D-Link NAS devices exposed online (Netsecfish)

​When asked whether security updates would be released to patch this zero-day vulnerability, D-Link also told BleepingComputer that they no longer supported these end-of-life (EOL) NAS devices.

"All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported," a D-Linkspokesperson told BleepingComputer.

"D-Link recommends retiring these products and replacing them with products that receive firmware updates."

Model End of Service Life Fixed Firmware Conclusion
DNS-320L 05/31/2020: Link Not Available Retire & Replace
DNS-325 09/01/2017: Link Not Available Retire & Replace
DNS-327L 05/31/2020: Link Not Available Retire & Replace
DNS-340L 07/31/2019: Link Not Available Retire & Replace

The spokesperson added that these NAS devices do not have automatic online updating or alert delivery capabilities, making it impossible to notify the owners of these ongoing attacks.

After the disclosure, D-Link released a security advisory on Thursday to notify owners about the security vulnerability and advise them to retire or replace the affected devices as soon as possible.

It also created a support page for legacy devices, warning owners to apply the latest security and firmware updates available through the legacy support website, although that wouldn't protect their devices from attackers.

"If US consumers continue to use these devices against D-Link's recommendation, please make sure the device has the last known firmware," D-Link warned.

What D-Link didn't say is that NAS devices shouldn't be exposed online since they are commonly targeted in ransomware attacks to steal or encrypt data.

In recent months, other D-Link devices (some of them also end-of-life) have been targeted by several Mirai-based DDoS botnets (one of them tracked as IZ1H9). Their owners are continuously working on expanding their capabilities, adding new exploits and targets to attack.

Related Articles:

Palo Alto Networks fixes zero-day exploited to backdoor firewalls

Over 92,000 exposed D-Link NAS devices have a backdoor account

CISA tags Microsoft SharePoint RCE bug as actively exploited

Exploit released for Fortinet RCE bug used in attacks, patch now

Hackers exploit critical RCE flaw in Bricks WordPress site builder