Investigating Exploit Attacks of the D-Link NAS CVE-2024-3273 Vulnerability
Recently, security researchers published a remote code execution exploit for D-LINK NAS devices. The exploit, tracked as CVE-2024-3273, allows attackers to trivially package shell commands into a request which are then executed at the devices with root permissions. The Crowdsec Network started detecting exploitation attempts soon after the exploit was published. As the vulnerable devices are too old to be patched by the manufacturer this makes the exploit a prime target for IoT botnets like Mirai and Miori.
In this article, we share information we have gathered about the exploit so far, describe the endpoints targeted, the payloads used and Indicators of Compromise (IoC) for the most extreme attackers.
How does CVE-2024-3273 work?
The exploit targets end-of-life network attached storage devices that are sold to end users. Researchers figured out that one of the Common Gateway Interface (CGI) binaries can execute arbitrary commands on the system. By using a hidden default account which has no password this execution can be done remotely. In our data we also see calls to another binary called orospucoc.cgi using the same payload structure.
The payload for the attack is inserted into the system parameter in a base64 encoded format. This allows us to generate the following POC:
/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=ZWNobyBoZWxsbw==
In our case the payload is simply echo hello but other payloads are possible. For the orospucoc.cgi binary we have observed the following two paths:
/.most/orospucoc.cgi
/cgi-bin/orospucoc.cgi
The term orospucoc is a Turkish insult. Presumably this is a backdoor left behind by a previous attack or a particularly angry Turkish security scanner.
What kind of payloads are being delivered?
In the following table we list payloads that the Crowdsec Network has observed with some frequency.
We want to highlight the last payload in the list. This is the classic version of the Miori botnet payload. The attacker forces the victim to download and execute a payload script that is hosted on the attacker itself. This process is then propagated forward, with the victim turning into a fresh attacker. This particular attacker has been aggressive enough to land in the community blocklist.
Who is exploiting CVE-2024-3273?
As with most exploits used by botnets, it is hard to ascertain the true origin of the attackers. The geographic distribution of the attacks that we see is more a distribution of vulnerable devices. We will however provide the following three IoCs that engaged in most active abuse of the vulnerability:
103(.)245(.)236(.)120
45(.)128(.)232(.)229
5(.)10(.)250(.)35
Response
In response to the attacks that we are seeing, we rolled out AppSec Component rules with detection scenarios for the attack. This will protect our Web Application Firewall (WAF) users from any harm posed by these attackers. If you do have a vulnerable device it is also recommended avoid exposing it to the wide net by keeping it behind your router. This ensures that future attacks against this end of life product will not affect your devices. If you prefer a more robust and advanced solution, you could give our AppSec Component a try!