A surge in cyberattacks leveraging legacy vulnerabilities in D-Link routers has been detected, with two botnets, FICORA and CAPSAICIN, actively exploiting these weaknesses.
Researchers at Fortinet’s FortiGuard Labs observed a spike in activity from these botnets during October and November 2024, highlighting the persistent threat posed by outdated and unpatched networking devices.
Exploitation of Decade-Old Vulnerabilities
The botnets exploit flaws in the Home Network Administration Protocol (HNAP) interface of D-Link routers, enabling remote attackers to execute malicious commands.
These vulnerabilities, tracked under CVE identifiers such as CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112, were disclosed years ago but remain a significant risk due to the widespread use of unpatched devices.
Despite patches being available for many of these flaws, the continued reliance on legacy hardware has created an opportunity for cybercriminals to deploy malware at scale.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
The FICORA botnet, a variant of the infamous Mirai malware, uses brute-force techniques to compromise devices and employs advanced encryption (ChaCha20) to conceal its configuration and command-and-control (C2) details. It is capable of launching distributed denial-of-service (DDoS) attacks using multiple protocols, including UDP and TCP.
Meanwhile, the Kaiten-based CAPSAICIN botnet prioritizes rapid deployment and eliminates competing malware on infected devices to maintain control.
FortiGuard Labs identified that the FICORA botnet was propagated from servers located in the Netherlands (e.g., IPs 185[.]191[.]126[.]213 and 185[.]191[.]126[.]248). The attacks were global in nature, suggesting they were not targeted but opportunistic campaigns aimed at exploiting any vulnerable device.
Both botnets underscore the dangers posed by outdated network hardware. While the vulnerabilities have been known for years, many organizations have failed to implement patches or replace end-of-life devices. This negligence has allowed attackers to repeatedly exploit these weaknesses.
Experts strongly advise enterprises and individuals to take proactive measures to mitigate these risks:
- Regular Updates: Ensure that all routers and network devices are running the latest firmware versions.
- Device Replacement: Replace end-of-life (EOL) hardware that no longer receives security updates.
- Network Monitoring: Implement comprehensive monitoring solutions to detect unusual traffic patterns indicative of botnet activity.
- Access Restrictions: Disable remote management features unless absolutely necessary and use strong, unique passwords for device access.
Organizations must prioritize updating or replacing vulnerable devices to prevent becoming unwitting participants in botnet-driven cybercrime campaigns.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free