Cybercriminals are exploiting vulnerabilities in unpatched D-Link routers to spread botnets. Although the weaknesses have been known for years, they are still being actively exploited.
Fortinet warns of the rise of two botnets called Ficora and Capsaicin. The criminals behind the botnets exploit vulnerabilities in outdated D-Link routers to spread the botnets. Some device numbers that have already been “recruited” into the botnet include DIR-645, DIR-845L and GO-RT-AC750.
These are variants of the Mirai and Kaiten botnets known in the security world. The botnets have a global impact: the Ficora botnet has already been found on servers of Dutch companies. The Capsaicin botnet is mainly active in Southeast Asia.
HNAP
Research by FortiGuard Labs saw a spike in activity from both botnets in October and November 2024. The vulnerabilities include theHome Network Administration Protocol( HNAP), which allows attackers to remotely execute commands. The CVEs associated with this date as far back as 2015.
The Ficora botnet campaign is spread via a downloader script that attacks various Linux architectures, such as ARM, MIPS and PowerPC. This script eliminates other malware processes and activates a series of DDoS attacks. The malware uses brute force attacks with hard-coded usernames and passwords.
Capsaicin targets similar targets, but uses different techniques to set up its command-and-control connection and execute attack instructions. Both campaigns are described in detail in a blog.
Outdated firmware
These campaigns demonstrate once again the risks of having outdated firmware in use. The vulnerabilities being exploited have been known for years and the necessary patches are also available. Companies that continue to use outdated hardware are at high risk of falling victim to these types of attacks.
Old routers are a popular target for cybercriminals, no matter what brand of router you have. Regular firmware updates and monitoring of network equipment reduce the chances of your router being the next target.