Category | Details |
---|---|
Threat Actors | Unspecified; associated with botnets like “FICORA” (Mirai variant) and “CAPSAICIN” (Keksec group-based variant). |
Campaign Overview | Botnets exploiting long-standing vulnerabilities in D-Link routers to execute malicious commands, propagate malware, and conduct DDoS attacks. |
Target Regions | Global for “FICORA”; primarily East Asia for “CAPSAICIN”. |
Methodology | Exploiting HNAP vulnerabilities in D-Link devices to execute shell scripts, propagate malware, and launch DDoS attacks. |
Products Targeted | D-Link DIR-645, DIR-806, GO-RT-AC750 (Revisions A & B), and DIR-845L routers. |
Malware Reference | “FICORA” (Mirai variant) and “CAPSAICIN” (Keksec-based botnet variant). |
Tools Used | Botnet malware (“FICORA” & “CAPSAICIN”), shell scripts (“multi” & “bins.sh”), brute force functions with hardcoded credentials, and DDoS attack utilities. |
Vulnerabilities Exploited | CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, CVE-2024-33112 (D-Link HNAP SOAPAction Header Command Execution). |
TTPs | Exploiting router vulnerabilities for malware deployment, brute-forcing credentials, killing rival malware processes, and executing DDoS attacks using UDP, TCP, and DNS protocols. |
Attribution | “FICORA” associated with Mirai botnet architecture; “CAPSAICIN” associated with the Keksec group and version 17.0.0 botnet derivatives. |
Recommendations | Update router firmware, implement comprehensive monitoring, use Fortinet products for detection and mitigation, and participate in cybersecurity training. |
Source | Fortinet |
Read full article: https://www.fortinet.com/blog/threat-research/botnets-continue-to-target-aging-d-link-vulnerabilities
The above summary has been generated by an AI language model
Leave a Reply