Newly identified botnet targets a decade-old flaw in unpatched D-Link devices

Researchers have discovered a new botnet called Goldoon that exploits a decade-old vulnerability in unpatched D-Link routers.

The flaw – CVE-2015-2051 – “has low attack complexity” but has a critical security impact that could allow intruders to remotely execute code on infected hardware, according to a report from cybersecurity firm Fortinet.

“Once attackers can successfully exploit this vulnerability, they can incorporate compromised devices into their botnet to conduct further attacks,” Fortinet said. The researchers named the botnet after an element called goldoon.server within the malware it spreads.

Goldoon can capture information about the targeted system and is used by hackers to conduct distributed denial-of-service (DDoS) attacks – a classic use for botnets.

According to researchers, the botnet’s activity peaked in April, “nearly doubling its usual frequency.”

D-Link fixed the flaw as part of a firmware update in the first half of 2015.

Unpatched D-Link hardware has recently attracted the attention of researchers and the US Cybersecurity and Infrastructure Security Agency (CISA). The agency said earlier in April that some older D-Link devices are being exploited by threat actors.

Specifically, CISA added CVE-2024-3273 and CVE-2024-3272 to its list of known exploited vulnerabilities, granting federal agencies a brief window to exploit D-Link hardware that in some cases could be a decade old use or replace.

Products from other companies may have similar problems. Fortinet previously reported that botnets continue to exploit a year-old vulnerability in unpatched TP-Link Internet routers.

Upon discovering Goldoon, Fortinet stated that seeing hackers exploit old bugs “reminds us that botnets continue to evolve and exploit as many devices as possible.”

Researchers recommended applying patches and updates ‘where possible’ due to the continued development and introduction of new botnets.

Learn more.