A recent discovery by Fortinet FortiGuard Labs researchers Cara Lin and Vincent Li has brought to light a new botnet named Goldoon. This malicious software specifically targets older D-Link routers, exploiting a critical vulnerability (CVE-2015-2051) known since 2015 but left unaddressed by some users. This vulnerability allows attackers to gain complete control over compromised devices, turning them into springboards for further cyberattacks.

The Looming Shadow of Outdated Software

The vulnerability in question, CVE-2015-2051, carries a severity score of 9.8, indicating a high risk. It resides within D-Link DIR-645 routers and grants remote attackers the ability to execute arbitrary commands through specially crafted HTTP requests. This essentially gives them full reign over the compromised device. Attackers can leverage this access to steal sensitive system information, establish connections with their command-and-control (C2) servers, and even use the router as a launchpad for additional attacks.

Goldoon’s Web of Deception

Goldoon’s operation begins with exploiting CVE-2015-2051. Through this vulnerability, attackers retrieve a dropper script from a remote server. This script then downloads further malicious payloads compatible with various Linux system architectures. Once activated, these payloads download the core Goldoon malware from another remote location. Notably, the attackers designed the dropper to self-destruct after execution, eliminating any immediate traces of the initial intrusion.

A Mocking Display and Enduring Threat

Interestingly, attempting to access the malware’s remote endpoint directly through a web browser yields a mocking error message. This brazen display highlights the attackers’ confidence in their ability to remain undetected. Once established on the device, Goldoon utilizes various autorun methods to ensure its persistence and maintains a constant connection to its C2 server, awaiting further malicious instructions. These instructions can encompass launching Distributed Denial-of-Service (DDoS) attacks utilizing various methods and protocols, including DNS, HTTP, ICMP, TCP, and UDP, showcasing the malware’s versatility in causing widespread disruption.

Routers: A Backdoor to Your Network

This incident exemplifies a growing trend: cybercriminals and even state-sponsored groups exploiting internet-connected devices. Routers, due to their crucial role in directing network traffic, are especially attractive targets. They can act as an anonymization layer for attackers, masking their online activities and making it difficult to trace the source of an attack. Cybersecurity firm Trend Micro has documented instances where compromised routers are rented out to other criminals or used by nation-states to conceal their internet presence. Groups like Sandworm and Pawn Storm have been observed employing compromised routers for various malicious activities, including brute-force attacks aimed at cracking passwords, spam distribution campaigns designed to bombard users with unwanted emails, credential phishing schemes designed to steal login information, and even cryptocurrency mining operations that steal processing power for financial gain.

The Importance of Proactive Network Security

These vulnerabilities highlight the paramount importance of proactive security practices for network devices. Routers are often plagued by inadequate security monitoring, lax password policies that are easy to guess or crack, infrequent updates that leave them exposed to known exploits, and the use of powerful operating systems that can support malicious software if not properly secured. This combination makes them prime targets for attackers seeking a covert foothold within networks.

The Fightback: Dismantling Botnets and the Cyber Resilience Act on the Horizon

Fortunately, cybersecurity agencies and companies are actively taking steps to combat these threats. Disabling harmful botnets like the recently dismantled MooBot botnet, which targeted various internet-facing devices including Ubiquiti EdgeRouters, signifies this ongoing effort. The upcoming Cyber Resilience Act further emphasizes the importance of robust network security. This act will enforce stricter regulations on manufacturers, ensuring they provide adequate security updates and support for their devices for a longer period, ultimately minimizing the window of vulnerability that attackers can exploit.

Fortifying Your Network: A Multi-Pronged Approach

The discovery of Goldoon underscores the critical need for consistent security measures on all network-connected devices, especially routers. Here are some key steps you can take to safeguard your network:

• Regular Updates: Implement a regular update schedule for your router’s firmware. Many router manufacturers offer automatic update functionality; enabling this feature ensures you receive the latest security patches as soon as they become available.
• Strong Passwords: Avoid using generic or easily guessable passwords for your router’s admin panel. Utilize a strong, complex password that includes a combination of uppercase and lowercase letters, numbers, and symbols. Consider using a password manager to generate and store strong passwords for all your devices.
• Active Monitoring: Consider security software that offers router monitoring capabilities. These tools can detect suspicious activity and alert you to potential threats.
• Disable Remote Access (Optional): If you don’t need to remotely access your router’s admin panel, consider disabling this functionality. This reduces the attack surface and makes it more difficult for attackers to exploit vulnerabilities remotely.
• Separate Guest Network: For added security, create a separate guest network for visitors and devices you don’t use regularly. This segregates guest traffic from your main network, limiting the potential damage if a guest device becomes compromised.

The Future of Network Security: A Collaborative Effort

The fight against cyber threats requires a collaborative effort. As the Cyber Resilience Act approaches enforcement, manufacturers are obligated to prioritize security throughout the device lifecycle. Users, on the other hand, must stay vigilant and implement proactive security measures to fortify their networks. By combining these efforts, we can create a more secure digital landscape for everyone.

In Conclusion

The Goldoon botnet serves as a stark reminder of the ever-present dangers lurking within outdated software. By prioritizing regular updates, implementing strong passwords, and actively monitoring your network security, you can significantly reduce the risk of falling victim to similar attacks. The upcoming Cyber Resilience Act is a positive step towards a more secure future, but its effectiveness hinges on both manufacturers fulfilling their obligations and users taking an active role in safeguarding their networks. Remember, robust network security is a shared responsibility, and by working together, we can create a safer online environment for everyone.