Press ESC to close

Botnets Continue to Target Aging D-Link Vulnerabilities

Category Details
Threat Actors Unspecified; associated with botnets like “FICORA” (Mirai variant) and “CAPSAICIN” (Keksec group-based variant).
Campaign Overview Botnets exploiting long-standing vulnerabilities in D-Link routers to execute malicious commands, propagate malware, and conduct DDoS attacks.
Target Regions Global for “FICORA”; primarily East Asia for “CAPSAICIN”.
Methodology Exploiting HNAP vulnerabilities in D-Link devices to execute shell scripts, propagate malware, and launch DDoS attacks.
Products Targeted D-Link DIR-645, DIR-806, GO-RT-AC750 (Revisions A & B), and DIR-845L routers.
Malware Reference “FICORA” (Mirai variant) and “CAPSAICIN” (Keksec-based botnet variant).
Tools Used Botnet malware (“FICORA” & “CAPSAICIN”), shell scripts (“multi” & “bins.sh”), brute force functions with hardcoded credentials, and DDoS attack utilities.
Vulnerabilities Exploited CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, CVE-2024-33112 (D-Link HNAP SOAPAction Header Command Execution).
TTPs Exploiting router vulnerabilities for malware deployment, brute-forcing credentials, killing rival malware processes, and executing DDoS attacks using UDP, TCP, and DNS protocols.
Attribution “FICORA” associated with Mirai botnet architecture; “CAPSAICIN” associated with the Keksec group and version 17.0.0 botnet derivatives.
Recommendations Update router firmware, implement comprehensive monitoring, use Fortinet products for detection and mitigation, and participate in cybersecurity training.
Source Fortinet

Read full article: https://www.fortinet.com/blog/threat-research/botnets-continue-to-target-aging-d-link-vulnerabilities

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

Source: Fortinet

Published on: December 27, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *