New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw

A new botnet called Goldoon targets D-Link routers and NAS devices putting them at risk of DDoS attacks and more. Learn how weak credentials leave you vulnerable and how to secure your network. pen_spark

Cybersecurity researchers at Fortinet’s FortiGuard Labs have uncovered a new botnet threat dubbed “Goldoon” specifically targeting D-Link routers and network-attached storage (NAS) devices. This malware infects devices by exploiting the CVE-2015-2051 (CVSS score: 10.0) vulnerability, potentially putting user data and network security at risk.

It’s noteworthy to mention that CVE-2015-2051, a security vulnerability identified in February 2015, is nearly a decade old. This vulnerability primarily affects end-of-life devices.

In September 2022, Palo Alto Networks’ Unit 42 discovered that the same vulnerability was being exploited by the infamous Mirai botnet’s variant, known as MooBot, targeting D-Link devices. D-Link addressed the issue in 2015, and further details regarding their response can be found here.

According to the Fortinet report, Goldoon leverages brute-force attacks to gain access to D-Link devices. Brute-force attacks involve systematically trying different username and password combinations until gaining unauthorized access. The report suggests these attacks exploit weak default credentials or outdated firmware on targeted devices.

Once established, Goldoon transforms the infected device into a bot, adding it to a network of compromised machines under the control of the botnet operator. This network of bots can then be used for various malicious activities, including:

  • Launching Distributed Denial-of-Service (DDoS) attacks: Bombarding websites or online services with overwhelming traffic, causing them to crash or become unavailable to legitimate users.
  • Data theft: Stealing sensitive information like login credentials, financial details, or personal data stored on the infected device.
  • Spreading malware: Using the compromised device to propagate malware across a network further, potentially infecting other devices.

The report highlights the critical role of patching and updating firmware on D-Link devices. Outdated firmware often contains vulnerabilities that attackers can exploit. Fortinet recommends D-Link users to:

  • Enable automatic firmware updates: Most devices can download and install security updates automatically.
  • Change default credentials: Replace the factory-set username and password with a strong, unique combination.
  • Implement strong network security practices: Enable firewalls, use complex passwords, and be cautious when clicking on links or opening attachments from unknown senders.

“While CVE-2015-2051 is not a new vulnerability and presents a low attack complexity, it has a critical security impact that can lead to remote code execution. Once attackers successfully exploit this vulnerability, they can incorporate compromised devices into their botnet to launch further attacks We strongly recommend applying patches and updates whenever possible because of the ongoing development and introduction of new botnets.”

FortiGuard Labs

Fortinet’s discovery of Goldoon serves as a reminder of the evolving cyber threat landscape. By prioritizing proper device security measures, D-Link users can minimize the risk of falling victim to this or similar botnet attacks.

  1. Androxgh0st Malware Hacks Servers for Botnet Attack
  2. Russian Hackers Target Ubiquiti Routers for Botnet Creation
  3. Qakbot Botnet Disrupted, Infected 700,000 Computers Globally
  4. Ddostf Botnet Resurfaces in DDoS Attacks Against Docker Hosts
  5. Mirai’s NoaBot Botnet Targeting Linux Systems with Cryptominer
Related Posts