FortiGuard Labs has observed an increase in activity from two botnets, FICORA and CAPSAICIN, during late 2024. These are variants of the notorious Mirai and Kaiten botnets, exploiting vulnerabilities in D-Link routers to execute malicious commands remotely. The exploited vulnerabilities, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112, stem from flaws in the Home Network Administration Protocol (HNAP) interface, particularly in handling user input and authentication. Affected devices include D-Link DIR-645, DIR-806, and GO-RT-AC750 models, which remain susceptible due to outdated firmware. The FICORA botnet is particularly advanced, targeting Linux architectures, using ChaCha20 encryption, and featuring brute force attacks, DDoS capabilities, and malware removal scripts. To mitigate risks, users should update firmware, disable unnecessary services, and enforce robust router security measures. Continue here.
