SoylentNews

hubie [soylentnews.org] writes:

Malware botnets exploit outdated D-Link routers in recent attacks [bleepingcomputer.com]:

Two botnets tracked as 'Ficora' and 'Capsaicin' have recorded increased activity in targeting D-Link routers that have reached end of life or are running outdated firmware versions.

The list of targets includes popular D-Link devices used by individuals and organizations such as DIR-645, DIR-806, GO-RT-AC750, and DIR-845L.

For initial access, the two pieces of malware use known exploits for CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.

Once a device is compromised, attackers leverage weaknesses in in D-Link's management interface (HNAP) and execute malicious commands through a GetDeviceSettings action.

The botnets can steal data and execute shell scripts. Attackers appear to compromise the devices for distributed denial-of-service (DDoS) purposes.

Ficora has a widespread geographic distribution with some focus on Japan and the United States. Capsaicin appears to be targeting mostly devices in East Asian countries and increased its activity for just two days, starting on October 21.

[...] One way to prevent botnet malware infections on routers and IoT devices is to ensure that they're running the latest firmware version, which should addresses known vulnerabilities.

If the device has reached end-of-life and no longer receives security updates, it should be replaced with a new model.

A a general advice, you should replace default admin credentials with unique and strong passwords and disable remote access interfaces if not needed.

Previously: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices [soylentnews.org]

Original Submission