A massive one cyber attack still ongoing, the peak of which was recorded between the months of October and November, is claiming numerous victims all over the world: the experts of Fortinet, an American company specialized in the development of cybersecurity software, devices and services.
Ficora and Capsaicin, which appear to be variants of the already well-known Mirai and Kaiten botnets, are managing to make the most of security flaws in some software models. D-Link routers which are currently no longer supported by the Taiwanese parent company and are not equipped with updated firmware: thanks to this vulnerability, cybercriminals have already gotten their hands on a considerable amount of personal data, stealing it from unsuspecting online users.
But which specimens ended up in the sights of the authors of the cyber attack? According to what was reported by the US company that detected the “cyber incursions”, these would be the D-Link DIR-645, DIR-806, GO-RT-AC750 and DIR-845L routers: despite the fact that these are obsolete models, they continue to be still used both by individual users and by small and large companies.
The Ficora and Capsaicin botnets manage to penetrate systems thanks to some security bugs in the Home Network Administration Protocol (HNAP) interface known with specific CVE numbers such as CVE-2015-2051, CVE-2019-10891, CVE-2022-37056 and CVE-2024-33112, which allows remote code execution RCE.
Ficorawhich has managed to infect users’ routers around the world, aims to download and execute a shell script from a remote server to target different Linux architectures. Once this is done, the payload is installed and a “brute force” attack is carried out using a list of “hard-coded” usernames and passwords to identify the access keys. The botnet is capable of carrying out DDOS attacks via protocols such as UDP flooding, TCP flooding and DNS amplification.
Capsaicin it was mainly exploited to carry out attacks on routers of Asian users, especially in East Asian countries. This botnet uses a different IP address to download its script and connects to a C2 server to send information about infected systems. Once it has obtained exclusive access by searching for and disabling any processes of other botnets, it is able to launch some malicious instructions, such as removing command history, starting proxies, changing the command and control server or performing flooding attacks via TCP, UDP, or HTTP protocols. Once sensitive data has been stolen from the victim, it is sent to the remote server.
The only way to protect yourself in these
cases is to replace the access keys and install the latest firmware: if this is not possible because support from the manufacturer has stopped, the advice is to change the router.