Endpoint Security , Governance & Risk Management , Internet of Things Security
New Botnet 'Goldoon' Targets D-Link Devices
FortiGuard Labs Identifies Botnet Exploiting Decade-Old D-Link VulnerabilityHackers are taking advantage of D-Link home routers left unpatched for a decade and turning them into a newly formed botnet researchers dubbed "Goldoon."
See Also: 4 Key Elements of an ML-Powered NGFW: How Machine Learning Is Disrupting Network Security
Researchers at FortiGuard Labs identified the botnet in April and discovering that hackers assembling it are using a 2015 vulnerability tracked as CVE-2015-2051 present in D-Link DIR-645 model, which first retailed in 2011. The remote code execution flaw was patched in 2015.
The vulnerability allows attackers to execute arbitrary commands remotely via the proprietary Home Network Administration Protocol. Attackers send an HTTP request with a malicious command. HNAP is a SOAP-based protocol that Cisco acquired in 2008; D-Link used it to connect routers to a setup wizard. Analysis by a hacker in 2015 says that the HNAP web server skipped authentication checks when parsing a HTTP with the header GetDeviceSettings
, allowing for code injection.
Inconsistent application of patches in consumer-grade routers is a well-known issue that often stems from manufacturer delays in developing updates or consumer neglect in installing them. A U.S. 2018 study based on internet scans of 186 routers says that 83% of sampled routers were vulnerable to cyberattacks, and more than one-quarter of them contain high-risk or critical flaws. In a survey of U.K. internet users, also conducted in 2018, only 14% of respondents say that they updated router firmware while only 18% said they changed the administrator password.
"Once they're connected to the internet, they don't care anymore about the router," an industry CISO told Oxford University academics researching a 2023 paper.
Goldoon hackers download a file dropper onto vulnerable routers that calls additional files, all named "goldoon." The script calls for the actual botnet malware and constructs a Uniform Resource Identifier with a fixed header User-Agent: FBI-Agent (Checking You)
to obtain the ultimate payload. Anyone who attempts to reach the same URI through a web browser gets a supposed error message containing the text "Sorry, you are an FBI Agent & we can't help you :( Go away or I will kill you :)."
Researchers detected a spike in Goldoon botnet activity in mid-April that was nearly double baseline activity during the rest of the month. The botnet "contains an astounding 27 different methods" to conduct distributed denial-of-service attacks, including ICMP, TCP and DNS flooding.
Some of the DDoS methods lack code, suggesting that Goldoon is a work in progress.