XEye Cybersecurity

Chinese Hackers Actively Attack D-Link Routers

Deuterbear RAT Blog - Designed by Freepik - XEye Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two security vulnerabilities affecting D-Link routers in its Known Exploited Vulnerabilities (KEV) catalog. These additions were made based on evidence of active exploitation. The Chinese hackers embrace an advnaced (Remote Access Trojan) RAT named Deuterbear.

Here are the details of the vulnerabilities:

  1. CVE-2014-100005: This vulnerability is a cross-site request forgery (CSRF) flaw that affects D-Link DIR-600 routers. It enables an attacker to modify router configurations by hijacking an existing administrator session.
  2. CVE-2021-40655: This vulnerability is an information disclosure flaw affecting D-Link DIR-605 routers. Attackers can obtain a username and password by forging an HTTP POST request to the /getcfg.php page.

    Subscribe to our Newsletter and stay updated.

    Although there is currently limited information on how those Chinese hackers exploit the above vulnerabilities, federal agencies have urged the implementation of vendor-provided mitigations by June 6, 2024.

    It’s important to note that CVE-2014-100005 impacts legacy D-Link products that have reached end-of-life (EoL) status. As a result, organizations still using these devices are advised to retire and replace them.

    In related news, the SSD Secure Disclosure team recently uncovered unpatched security issues in DIR-X4860 routers. These issues allow remote unauthenticated attackers to access the HNAP port, gain elevated permissions, and execute commands as root. According to the team, “By combining an authentication bypass with command execution, the device can be completely compromised.” These vulnerabilities affect routers running firmware version DIRX4860A1_FWV1.04B03. SSD Secure Disclosure has also provided a proof-of-concept (PoC) exploit that utilizes a specially crafted HNAP login request to bypass authentication protections and achieve code execution through a command injection vulnerability.

    D-Link has acknowledged the issue in its own bulletin and stated that a fix is currently “Pending Release / Under Development.” The company has described the vulnerability as a LAN-side unauthenticated command execution flaw.

    Furthermore, the Ivanti EPMM (Endpoint Manager Mobile) has been found to have multiple flaws. Cybersecurity researchers have released a proof-of-concept exploit for a new vulnerability (CVE-2024-22026, CVSS score: 6.7) that allows an authenticated local user to bypass shell restrictions and execute arbitrary commands on the appliance. According to Redline Cyber Security’s Bryan Smith, “This vulnerability allows a local attacker to gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL.” The issue arises from inadequate validation in the EPMM command-line interface’s installation command, which can fetch an arbitrary RPM package from a user-provided URL without verifying its authenticity. CVE-2024-22026 affects all versions of EPMM before 12.1.0.0. Ivanti has also addressed two other SQL injection vulnerabilities (CVE-2023-46806 and CVE-2023-46807, CVSS scores: 6.7) in the same product, allowing an authenticated user with appropriate privileges to access or modify data in the underlying database.

    Secure Against Deuterbear RAT

    You may also like these