Hello and welcome to the Tuesday, April 30th, 20204 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Last few days we have been seeing sort of a second wave of attacks that appear to target a vulnerability in D-Link NAS devices.

There are really sort of two vulnerabilities at play here. The more severe one is a simple authentication

bypass. These devices use a user message bus without password. So user and attacker can just simply authenticate

with user equals message bus leaving the password empty. The original proof of concept for

this vulnerability was released about a month ago by a GitHub user who goes by the name of network security

fish, and it used a specific CGI to actually then execute arbitrary commands, and that's

NAS underscore sharing.cgi. And that's all of a little bit the second vulnerability here, that

in order to then execute

arbitrary commands using this easy-to-access user, you need to have a URL like NES underscore

sharing that allows you to actually just send commands to the device.

Shortly after the vulnerability was announced, we did see sort of a

wave of attacks that basically just exactly used the proof of concept exploit. What we started

seeing then mid-month and in the last few days it really has sort of spiking is the use of

another CGI script, Oros P-C-O-C-O-C-G-G-I, no real idea how to pronounce it.

It appears to be possibly a Turkish word, but it's nothing that I sort of really found documented anywhere.

The URL parameters that are being used to look exactly the same as we see used against NAS underscore sharing.

However, it's possible that this other script actually is more something like later introduced backdoor,

maybe using the first vulnerability and is now taking advantage

of that same authentication bypass in order to execute code.

If anybody has any more details, maybe you own one of these affected D-Link NAS devices.

...