Recently, cybersecurity experts from Fortinet uncovered a new Botnet-network named Goldoon, targeting D-Link routers through a long-known vulnerability, CVE-2015-2051. This vulnerability, with a high severity score of 9.8 on the CVSS scale, allows remote attackers to execute arbitrary commands via specially crafted HTTP requests.
Researchers Kara Lin and Vincent Lee from Fortinet Fortiguard Labs explained that once a device is infected, the attacker gains full control, enabling them to extract data, communicate with a control server, and use the compromised devices for malicious activities, including DDOS attacks.
Telemetry data shows that the Goldoon botnet activity surged on April 9, 2024. Attackers leverage the CVE-2015-2051 vulnerability to implant malicious code on various Linux system architectures, followed by a cleanup process to erase traces of their activity, making detection more challenging.
Goldoon not only maintains a persistent presence on infected devices but also establishes communication with a control server to receive further instructions. The botnet is capable of launching DDOS attacks using 27 different methods across various protocols like DNS, HTTP, ICMP, TCP, and UDP.
Further emphasizing the significance of botnet evolution, experts from Trend Micro point out that cybercriminals and even state actors are increasingly utilizing infected routers as a layer of anonymity, leasing them to other criminals or commercial proxy providers. This tactic makes it harder to distinguish malicious traffic from legitimate activity.
Researchers stress that internet routers remain a prime target for cybercriminals due to limited security monitoring and outdated software. The emergence of the Goldoon Botnet serves as a stark reminder of the importance of regularly updating software and enhancing security measures on network devices. When a router reaches the end of its support term, prompt replacement is advised to minimize the risk of exploitation by hackers.
While DDOS attacks are disruptive, theft of sensitive data poses a more severe threat to enterprises. Malware like Cuttlefish, capable of compromising company accounts, can not only impact router performance but also lead to the unauthorized access and theft of valuable information.