New BotNet Targets D Link Routers

A newly discovered botnet, named Goldoon, has been identified targeting older D-Link routers, specifically exploiting a critical vulnerability that has been known but unaddressed since 2015. This botnet leverages compromised devices to facilitate further cyberattacks, including distributed denial-of-service (DDoS) assaults, according to recent findings by Fortinet FortiGuard Labs researchers Cara Lin and Vincent Li.

The vulnerability, designated as CVE-2015-2051, carries a high-risk score of 9.8 and affects D-Link DIR-645 routers. It allows remote attackers to execute arbitrary commands through specially crafted HTTP requests. This severe security flaw enables attackers, once they have compromised a device, to take full control over it. They can extract system information, establish communications with a command-and-control (C2) server, and use the device as a springboard to launch additional attacks.

The process begins with the exploitation of CVE-2015-2051, through which attackers retrieve a dropper script from a remote server. This script is responsible for downloading further payloads compatible with various Linux system architectures. Once these payloads are activated, they function primarily to download the Goldoon malware from another remote location. In efforts to conceal their activities, the attackers designed the dropper to delete itself after executing, thus erasing any direct traces of the initial intrusion.

Interestingly, any direct attempt to access the malware’s remote endpoint through a web browser returns a mocking error message, highlighting the attackers' brazen confidence. Once established on the device, Goldoon ensures its persistence through several autorun methods and maintains its connection to the C2 server, ready to receive further malicious instructions. These instructions can include executing DDoS attacks using an array of methods and protocols such as DNS, HTTP, ICMP, TCP, and UDP, showcasing the malware’s versatility in causing disruption.

This episode is part of a broader trend where cybercriminals and state-sponsored groups exploit internet-connected devices. Routers, in particular, are targeted due to their pivotal role in network communications, which can serve as an anonymization layer for malicious activities. Cybersecurity firm Trend Micro notes that compromised routers are often rented out to other criminals or used by nation-state actors for operations that require masking their internet presence.

For instance, groups like Sandworm and Pawn Storm have been observed using compromised routers in their operations. These routers can be utilized for various nefarious activities, from brute-force attacks and spam distribution to serving as proxies for credential phishing and facilitating cryptocurrency mining.

The exploitation of these vulnerabilities underscores the critical need for robust security practices concerning network devices. Routers often suffer from inadequate security monitoring, lax password policies, infrequent updates, and the use of powerful operating systems that can support malicious software. This makes them attractive targets for threat actors looking to establish a covert presence within networks.

In response to these threats, cybersecurity agencies and companies are increasingly vigilant, taking steps to dismantle harmful botnets and mitigate their impacts. For example, the U.S. government recently targeted parts of the MooBot botnet, which had been using various internet-facing devices, including Ubiquiti EdgeRouters, for malicious purposes.

This ongoing situation highlights the importance of maintaining up-to-date security measures on all network-connected devices, particularly routers. Regular updates, strong password policies, and active security monitoring are essential to prevent attackers from exploiting old vulnerabilities and safeguarding against the potential wide-ranging effects of such security breaches.