FlagThis - #unspecified

Cybersecurity experts are warning about a surge in activity from two botnets, FICORA and CAPSAICIN, exploiting old vulnerabilities in D-Link routers. These botnets are leveraging decade-old weaknesses in the Home Network Administration Protocol (HNAP) interface to execute malicious commands, propagate malware, and launch DDoS attacks. FICORA, a Mirai variant, targets devices globally, while CAPSAICIN, a Kaiten variant, primarily targets East Asia. The attacks demonstrate the ongoing risks posed by outdated and unpatched network hardware, with the vulnerabilities used having been known for years.

The FICORA botnet uses a downloader script to deploy malware and brute force credentials, using UDP, TCP, and DNS protocols for DDoS attacks. The CAPSAICIN botnet focuses on rapid deployment and actively terminates rival botnet processes on infected devices to maintain control. This botnet sends operating system information to a command and control server awaiting further commands. Researchers advise users to update router firmware, implement thorough monitoring, and use cybersecurity solutions to mitigate the threats posed by these botnets, highlighting the dangers of older devices and the crucial need for regular updates.


References :

• siliconangle.com: Botnets leverage decade-old D-Link vulnerabilities in new attack campaigns
• : Fortinet : The fun don't stop with end-of-life D-Link products: Botnets like FICORA, a Mirai variant, and CAPSAICIN, a Kaiten variant, are exploiting , , , and . Only CVE-2015-2051 is in CISA's KEV Catalog. Indicators of compromise are provided.
• www.fortinet.com: Fortinet : The fun don't stop with end-of-life D-Link products: Botnets like FICORA, a Mirai variant, and CAPSAICIN, a Kaiten variant, are exploiting , , , and . Only CVE-2015-2051 is in CISA's KEV Catalog. Indicators of compromise are provided.
• The Hacker News: FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks
• osint10x.com: Botnets Continue to Target Aging D-Link Vulnerabilities
• Security Affairs: SecurityAffairs.com article on surge in FICORA and Kaiten botnet activity.
• Cyber Security News: New Botnet Exploits D-Link Routers for Remote Control
• Osint10x: Botnets Continue to Target Aging D-Link Vulnerabilities
• SiliconANGLE: Botnets leverage decade-old D-Link vulnerabilities in new attack campaigns
• : FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks
• ciso2ciso.com: FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks
• cyberpress.org: Researchers observed increased activity from Mirai variant “FICORA” and Kaiten variant “CAPSAICIN” botnets in late 2024 that exploited known vulnerabilities in D-Link devices, such as CVE-2024-33112.
• CyberInsider: Unpatched D-Link routers worldwide targeted by new malware
• ciso2ciso.com: CISO2CISO article on surge in FICORA and Kaiten botnet activity.
• : Experts warn of a surge in activity associated FICORA and Kaiten botnets – Source: securityaffairs.com
• securityonline.info: CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices
• ciso2ciso.com: FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks.
• : FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks – Source:hackread.com
• ciso2ciso.com: FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks – Source:hackread.com
• securityonline.info: CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices
• gbhackers.com: New Botnet Exploiting D-Link Routers To Gain Control Remotely
• Security Risk Advisors: 🚩 Mirai “FICORA” and Kaiten “CAPSAICIN” Botnets Target Decade-Old D-Link Weaknesses
• Techzine Global: Malware botnets abuse outdated D-Link routers
• gbhackers.com: GBHackers article about a new botnet exploiting D-Link routers to gain control remotely.
• sra.io: 🚩 Mirai “FICORA” and Kaiten “CAPSAICIN” Botnets Target Decade-Old D-Link Weaknesses
• supportannouncement.us.dlink.com: D-Link Security Advisory

Classification:

• HashTags: #Botnet #DLink #Mirai
• Company: D-Link
• Target: D-Link Router Users
• Attacker: Unspecified
• Product: D-Link Routers
• Feature: HNAP
• Malware: FICORA/CAPSAICIN
• Type: Botnet
• Severity: Major

India's central bank, the Reserve Bank of India (RBI), is set to introduce the exclusive "bank.in" domain for banks, a strategic move aimed at combating the rising tide of digital financial fraud. This initiative intends to significantly reduce cybersecurity threats and malicious activities such as phishing. The goal is to streamline secure financial services to enhance trust in digital banking and payment systems. With over 2,000 banks currently operating in India, assigning them an exclusive domain is expected to make it harder for fraudsters to create fake bank websites and lure victims.

This plan was detailed in a policy update, addressing the "significant concern" around increased digital payment fraud in India. Registration for bank.in domains is scheduled to commence in April. The RBI is also planning a separate domain, "fin.in," for other non-bank entities in the financial sector. To further enhance trust in online payments, the RBI is also introducing Additional Factor Authentication (AFA) for cross-border card-not-present online transactions. The Institute for Development and Research in Banking Technology (IDRBT) will serve as the exclusive registrar.


References :

• The Register - Security: With over 2,000 banks in operation, the potential to make life harder for fraudsters is obvious India’s Reserve Bank last week announced a plan to use adopt dedicated second-level domains – bank.in and fin.in – in the hope it improves trust in the financial services sector.…
• The Hacker News: India’s RBI Introduces Exclusive "bank.in" Domain to Combat Digital Banking Fraud
• The Register: India wants all banking to happen at dedicated bank.in domain With over 2,000 banks in operation, the potential to make life harder for fraudsters is obvious India’s Reserve Bank last week announced a plan to use adopt dedicated second-level domains – bank.in and fin.in – in the hope it improves trust in the financial services sector.…
• Techmeme: Techmeme post on the India's bank.in plan.

Classification:

• HashTags: #India #Banking #Fraud
• Company: India
• Target: Digital banking in India
• Attacker: Unspecified
• Product: bank.in
• Feature: Bank.in Domain
• Type: News
• Severity: Medium

A critical authentication bypass vulnerability, identified as CVE-2024-53704, in SonicWall firewalls is under active exploitation. Security firms are warning that attackers are now targeting this flaw following the public release of proof-of-concept exploit code. The vulnerability allows attackers to bypass authentication, posing a significant risk to affected systems.

Security updates are available for download to address the issue, and users are strongly urged to patch their SonicWall firewalls immediately. Attacks are currently taking place, making prompt action essential to mitigate potential exploits. The vulnerability highlights the importance of keeping security infrastructure up-to-date to defend against emerging threats.


References :

• BleepingComputer: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
• Anonymous ???????? :af:: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
• heise online English: Patch Sonicwall now! Attackers bypass authentication of firewalls Attacks are currently taking place on Sonicwall firewalls. Security updates are available for download.

Classification:

• HashTags: #SonicWall #Firewall #Vulnerability
• Company: SonicWall
• Target: SonicWall users
• Attacker: Unspecified
• Product: SonicWall firewalls
• Feature: Authentication Bypass
• Type: 0Day
• Severity: Major