Taking advantage of a security flaw in older router models. The two botnets Ficora and Capsaicin are managing to steal sensitive data from numerous victims.
A massive cyber attack that is still ongoing. Which peaked between October and November, is claiming numerous victims around the world: the experts from Fortinet. A US company specialized in the development of cybersecurity software, devices and services. Have detected the intensification of the activity of the two botnets used in these incursions.
Ficora and Capsaicin, which appear to be variants of the already known Mirai and Kaiten botnets. Are managing to exploit security flaws in some D-Link router models, that are no longer supported by the Taiwanese parent company, and do not have updated firmware: thanks to this vulnerability, cybercriminals have already gotten their hands on a significant amount of personal data. Stealing it from unsuspecting online users.
But which models ended up in the sights of the authors of the cyberattack? According to the US company that detected the “cyber incursions”. They would be the D-Link DIR-645, DIR-806, GO-RT-AC750 and DIR-845L routers: despite being obsolete models. They continue to be used both by individual users and by small and large companies.
The Ficora and Capsaicin botnets manage to penetrate systems thanks to some security bugs in the Home Network Administration Protocol (HNAP) interface known by specific CVE numbers . Such as CVE-2015-2051, CVE-2019-10891, CVE-2022-37056 and CVE-2024-33112, which allow remote code execution ( RCE) .
Ficora , which has managed to infect routers of users all over the world. Aims to download and execute a shell script from a remote server to target various Linux architectures. Once this is done, the payload is installed and a “brute force” attack is performed using a list of “hard-coded” usernames and passwords to find the access keys. By using techniques like DNS amplification, TCP flooding, and UDP flooding, the botnet can execute DDoS attacks.
Capsaicin has been used primarily to attack routers of Asian users, especially in East Asian countries. This botnet downloads its script from an alternate IP address and establishes a connection with a C2 server to provide data about compromised systems. Once it has exclusive access, by searching for and disabling any processes of other botnets. It is able to launch some malicious instructions, such as removing command history, starting using TCP, UDP, or HTTP protocols to conduct flooding assaults, altering the command and control server, or using proxies.After stealing sensitive data from the victim. It is sent to the remote server .
The only way to protect yourself in these cases is to replace the access keys and install the latest firmware: if this is not possible because the manufacturer has stopped supporting it. The advice is to change the router.https://youtu.be/bbw8cwIVkR8?si=sKWQ79eHoS8kKCBB