www.greynoise.io
Open in
urlscan Pro
63.35.51.142
Public Scan
URL:
https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild
Submission: On July 12 via api from IT — Scanned from IT
Submission: On July 12 via api from IT — Scanned from IT
Form analysis 3 forms found in the DOM
/search
<form action="/search" class="nav-search w-form">
<div class="nav-search-text">
<div class="margin-bottom-0-5rem">Search plans and pricing, blog posts, company info, and more.</div>
</div>
<div class="nav-search-form"><input class="nav-search-input w-input" autofocus="true" maxlength="256" name="query" placeholder="Start your search here..." type="search" id="search" required=""><input type="submit" class="cta-button-small w-button"
value="Search"></div>
<div class="nav-search-text">
<div>Hoping to access our Visualizer? <a href="https://viz.greynoise.io/" target="_blank">Go here instead</a>.</div>
</div>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4282754/64495932-6892-4568-8bfc-8ff26d504367
<form id="hsForm_64495932-6892-4568-8bfc-8ff26d504367_follow-us-form" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4282754/64495932-6892-4568-8bfc-8ff26d504367"
class="hs-form-private hsForm_64495932-6892-4568-8bfc-8ff26d504367 hs-form-64495932-6892-4568-8bfc-8ff26d504367 hs-form-64495932-6892-4568-8bfc-8ff26d504367_9e25f514-93fe-4be7-9b99-3b241c8b8903 hs-form stacked"
target="target_iframe_64495932-6892-4568-8bfc-8ff26d504367_follow-us-form" data-instance-id="9e25f514-93fe-4be7-9b99-3b241c8b8903" data-form-id="64495932-6892-4568-8bfc-8ff26d504367" data-portal-id="4282754"
data-test-id="hsForm_64495932-6892-4568-8bfc-8ff26d504367_follow-us-form">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-64495932-6892-4568-8bfc-8ff26d504367_follow-us-form" class="" placeholder="Enter your Email"
for="email-64495932-6892-4568-8bfc-8ff26d504367_follow-us-form"><span>Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-64495932-6892-4568-8bfc-8ff26d504367_follow-us-form" name="email" required="" placeholder="Email address..." type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="SUBSCRIBE"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1720778714646","formDefinitionUpdatedAt":"1687962142134","lang":"en","embedType":"REGULAR","clonedFromForm":"13928cca-437a-4538-b318-8d77f18441bf","notifyHubSpotOwner":"true","renderRawHtml":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","pageTitle":"CVE-2024-3273: D-Link NAS RCE Exploited in the Wild | GreyNoise Blog","pageUrl":"https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild","isHubSpotCmsGeneratedPage":false,"hutk":"a02532041aea15965941ca73d0f70c68","__hsfp":3571879071,"__hssc":"9901034.1.1720778719146","__hstc":"9901034.a02532041aea15965941ca73d0f70c68.1720778719146.1720778719146.1720778719146.1","formTarget":"#hbspt-form-9e25f514-93fe-4be7-9b99-3b241c8b8903","formInstanceId":"follow-us-form","rumScriptExecuteTime":3547.5,"rumTotalRequestTime":5612.800003051758,"rumTotalRenderTime":5703.400001525879,"rumServiceResponseTime":2065.300003051758,"rumFormRenderTime":90.5999984741211,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1720778719192,"originalEmbedContext":{"portalId":"4282754","formId":"64495932-6892-4568-8bfc-8ff26d504367","region":"na1","target":"#hbspt-form-9e25f514-93fe-4be7-9b99-3b241c8b8903","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"follow-us-form","isMobileResponsive":true},"correlationId":"9e25f514-93fe-4be7-9b99-3b241c8b8903","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5387","sourceName":"forms-embed","sourceVersion":"1.5387","sourceVersionMajor":"1","sourceVersionMinor":"5387","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1720778714798,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"CVE-2024-3273: D-Link NAS RCE Exploited in the Wild | GreyNoise Blog\",\"pageUrl\":\"https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1720778714802,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"IT\""},{"clientTimestamp":1720778719172,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"a02532041aea15965941ca73d0f70c68\"}"}]}"><iframe
name="target_iframe_64495932-6892-4568-8bfc-8ff26d504367_follow-us-form" style="display: none;"></iframe>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4282754/64495932-6892-4568-8bfc-8ff26d504367
<form id="hsForm_64495932-6892-4568-8bfc-8ff26d504367_subscribe-box-form" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4282754/64495932-6892-4568-8bfc-8ff26d504367"
class="hs-form-private hsForm_64495932-6892-4568-8bfc-8ff26d504367 hs-form-64495932-6892-4568-8bfc-8ff26d504367 hs-form-64495932-6892-4568-8bfc-8ff26d504367_ede09dd7-eba3-4381-a509-8a93ae8d2dcb hs-form stacked"
target="target_iframe_64495932-6892-4568-8bfc-8ff26d504367_subscribe-box-form" data-instance-id="ede09dd7-eba3-4381-a509-8a93ae8d2dcb" data-form-id="64495932-6892-4568-8bfc-8ff26d504367" data-portal-id="4282754"
data-test-id="hsForm_64495932-6892-4568-8bfc-8ff26d504367_subscribe-box-form">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-64495932-6892-4568-8bfc-8ff26d504367_subscribe-box-form" class="" placeholder="Enter your Email"
for="email-64495932-6892-4568-8bfc-8ff26d504367_subscribe-box-form"><span>Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-64495932-6892-4568-8bfc-8ff26d504367_subscribe-box-form" name="email" required="" placeholder="Email address..." type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="SUBSCRIBE"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1720778714869","formDefinitionUpdatedAt":"1687962142134","lang":"en","embedType":"REGULAR","clonedFromForm":"13928cca-437a-4538-b318-8d77f18441bf","notifyHubSpotOwner":"true","renderRawHtml":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","pageTitle":"CVE-2024-3273: D-Link NAS RCE Exploited in the Wild | GreyNoise Blog","pageUrl":"https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild","isHubSpotCmsGeneratedPage":false,"hutk":"a02532041aea15965941ca73d0f70c68","__hsfp":3571879071,"__hssc":"9901034.1.1720778719146","__hstc":"9901034.a02532041aea15965941ca73d0f70c68.1720778719146.1720778719146.1720778719146.1","formTarget":"#hbspt-form-ede09dd7-eba3-4381-a509-8a93ae8d2dcb","formInstanceId":"subscribe-box-form","rumScriptExecuteTime":3786.699996948242,"rumTotalRequestTime":5914.599998474121,"rumTotalRenderTime":5936,"rumServiceResponseTime":2127.900001525879,"rumFormRenderTime":21.400001525878906,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1720778719202,"originalEmbedContext":{"portalId":"4282754","formId":"64495932-6892-4568-8bfc-8ff26d504367","region":"na1","target":"#hbspt-form-ede09dd7-eba3-4381-a509-8a93ae8d2dcb","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"subscribe-box-form","isMobileResponsive":true},"correlationId":"ede09dd7-eba3-4381-a509-8a93ae8d2dcb","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5387","sourceName":"forms-embed","sourceVersion":"1.5387","sourceVersionMajor":"1","sourceVersionMinor":"5387","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1720778715103,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"CVE-2024-3273: D-Link NAS RCE Exploited in the Wild | GreyNoise Blog\",\"pageUrl\":\"https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1720778715105,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"IT\""},{"clientTimestamp":1720778719195,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"a02532041aea15965941ca73d0f70c68\"}"}]}"><iframe
name="target_iframe_64495932-6892-4568-8bfc-8ff26d504367_subscribe-box-form" style="display: none;"></iframe>
</form>Text Content
Our new report "Honeypots Are Back" is now available! Download now plansBlogIntegrationsDocumentationLog In Product GreyNoise identifies internet scanners and common business activity in your security events so you can make confident decisions, faster! Product Overview Explore SearchIP SimilarityTrends Investigate IP TimelineIP DetailsTag Details Act BlocklistsAlerts Integrate IntegrationsAPI Solutions GreyNoise deploys solutions tailored to the needs of specific industries and use cases. Maximize SOC EfficiencyMass Exploitation DefenseContextualized Threat Hunting Resources Checkout our demos, case studies, and more to help you expand your skills. Featured Content How I Use GreyNoise (video)CyberWire: Hacking Humans #199 (podcast) GreyNoise Resources Resources HubStorm WatchCommunityTag RequestROI CalculatorGlossary of Terms Company GreyNoise collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Press Room GreyNoise in the NewsPress ReleasesGreyNoise Community Love EventsRequest GreyNoise SwagCareers at GreyNoiseContact Us Partners Expand your reach, increase revenues, and deepen customer relationships by partnering with GreyNoise. GreyNoise PartnersReseller PartnersTechnical AlliancesOEM PartnersMSSPs & MDRs Explore Our Data Explore Our Data Product Product Overview Explore SearchIP SimilarityTrends Investigate IP TimelineIP DetailsTag Details Act BlocklistsAlerts Integrate APIIntegrations Solutions Automated Alert ReductionMaximize SOC EfficiencyMass Exploitation Defense Resources Resources HubStorm WatchCommunityTag RequestROI CalculatorGlossary of Terms Company Press Room GreyNoise in the NewsPress ReleasesGreyNoise Community Love More EventsRequest GreyNoise SwagCareers at GreyNoiseContact Us Partners GreyNoise PartnersReseller PartnersTechnical AlliancesOEM PartnersMSSPs & MDRs PricingBlogintegrationsDocumentationLog In Search plans and pricing, blog posts, company info, and more. Hoping to access our Visualizer? Go here instead. Blog > Vulnerabilities Follow us Follow us and don’t miss a thing. Get the latest blog articles delivered right to your inbox. Email* Vulnerabilities Labs CVE-2024-3273: D-LINK NAS RCE EXPLOITED IN THE WILD Matthew Remacle April 8, 2024 A remote code execution vulnerability in D-Link NAS devices is actively being exploited and is tracked under CVE-2024-3273. The vulnerability is believed to affect as many as 92,000 devices and further information can be found on D-Link’s support announcement. (04/11/2024): CLARIFICATION ON CVE-2024-3273 & CVE-2024-3272 Exploitation of the CVE-2024-3273 command injection vulnerability requires the two valid `user=` and `passwd=` parameters. There is a companion vulnerability tracked as CVE-2024-3272 and describes the issue as "manipulation of the argument user with the input messagebus leads to hard-coded credentials". It is important to note that the "credentials" as described are only the username for the user "messagebus". "messagebus" is not a backdoor account. It is one of many common pre-configured linux system users that functionally cannot "log in", and thus have no password. Other common example system users include avahi, syslog, nobody, ntp, rtkit, and whoopsie. D-Link correctly validates that the username exists and also correctly validates that the provided password is correct. The logic flaw exercised by CVE-2024-3273 is that the empty (correct) password for the "messagebus" user is never validated that the user should ever be able to log in using a password, if at all. (04/09/2024): UPDATE ON NUMBER OF VULNERABLE DEVICES Upon further analysis, it appears the number of vulnerable devices is much lower than initially reported. According to our friends at Censys, the number is closer to 5,500 devices. VIEW TAG GreyNoise quickly released a tag for tracking under D-Link NAS CVE-2024-3273 RCE Attempt, which was relatively easy for us because our Sift tooling surfaced the exploit to us automatically. Sift curates a report of new/interesting traffic observed by GreyNoise sensors daily after doing much of the analysis and triage work itself. You can read more about Sift and check it out for yourself at https://sift.labs.greynoise.io/ Sift’s analysis above is correct! Taking it a step further, the command the above IP is attempting to execute is a generic shell script pattern used by botnet operators to try to execute malware for every possible CPU architecture in the expectation that at least one will work. The malware is fetched from 38[.]6[.]224[.]248 over HTTP. We have retrieved the sample skid.x86 and uploaded it to VirusTotal for sharing and further analysis: * https://www.virustotal.com/gui/file/859e679f8e8be4a4c895139fb7fb1b177627bbe712e1ed4c316ec85008426db8 This article is a summary of the full, in-depth version on the GreyNoise Labs blog. Read the full report Like or share: GET THE LATEST BLOG ARTICLES DELIVERED RIGHT TO YOUR INBOX. Thank you! Your submission has been received! Oops! Something went wrong while submitting the form. Email* Be part of the conversation in our Community Slack group. Join us on Slack Follow us and don’t miss a thing. RELATED CONTENT View all related articles Vulnerabilities PERMA-VULN: D-LINK DIR-859, CVE-2024-0769 The GreyNoise Labs Team Jun 27, 2024 Vulnerabilities Labs SOLARWINDS SERV-U (CVE-2024-28995) EXPLOITATION: WE SEE YOU! Ron Bowes Jun 18, 2024 Vulnerabilities WHAT'S GOING ON WITH CVE-2024-4577 (CRITICAL RCE IN PHP)? Konstantin Lazarev Jun 13, 2024 Vulnerabilities Labs Solutions Accelerated Alert TriageMass Exploitation DefenseContextualized Threat Hunting Company NewsPress ReleasesCommunity LoveEventsRequest SwagCareersContact Resources Resource HubStorm WatchCommunityTag RequestROI CalculatorGlossary of Terms Partners GreyNoise PartnersReseller PartnersTechnical AlliancesOEM PartnersMSSPS & MDRS PlansBlogDocumentationLog In © 2023 GreyNoise, Inc. All Rights Reserved. Terms | Privacy | Security | Cookies | Patents | Principles Cookie Settings We use cookies to ensure you get the best experience on our website. Learn more Got It