Analysis Summary

D-Link routers with a severe security issue that dates back almost ten years have been the target of a never-before-seen botnet named Goldoon, which aims to use the compromised equipment for more attacks.

The D-Link DIR-645 routers are vulnerable to CVE-2015-2051 (CVSS score: 10) which could allow a remote attacker to execute arbitrary commands on the system. By sending specially crafted requests, an attacker could exploit this vulnerability using the GetDeviceSettings action to inject and execute arbitrary commands on the system.

Attackers can obtain total control over a compromised device, which gives them the ability to retrieve system data, communicate with a C2 server, and utilize the affected devices to execute additional attacks such as distributed denial-of-service (DDoS).

“Our telemetry data also indicates that this botnet activity spiked in April, almost doubling the usual frequency,” said the researchers.

The exploitation begins with the use of CVE-2015-2051 to obtain a dropper script from a remote server. This script is in charge of downloading the next-stage payload for a variety of Linux system architectures, such as arm, i686, m68k, powerpc, s390x, sparc64, x86-64, sh4, riscv64, DEC Alpha, and PA-RISC. The compromised device is then used to launch the payload, which serves as a downloader for the Goldoon malware from a remote endpoint. In an attempt to hide its presence and evade detection, the dropper finally deletes the file that has been executed.

In addition to establishing persistence on the host using a variety of autorun techniques, Goldoon connects to a command-and-control (C2) server to get instructions for additional operations. Using diverse protocols such as DNS, HTTP, ICMP, TCP, and UDP, this comprises an incredible 27 ways to execute DDoS flood attacks. Despite not being a recent vulnerability and having a low attack complexity, CVE-2015-2051 has a significant security impact that may result in remote code execution.

The development coincides with the ongoing evolution of botnets, which are designed to exploit as many devices as possible. Additionally, compromised routers have shown to be of interest to hackers and advanced persistent threat (APT) actors, who use them as a means of anonymization. Threat actors presumably also sell compromised routers to for-profit home proxy services in addition to renting them out to other cybercriminals.

APT organization Pawn Storm had access to a criminal proxy botnet of Ubiquiti EdgeRouters, while nation-state threat actors like Sandworm employed their specialized proxy botnets. The goal of utilizing the compromised routers as proxies is to conceal any evidence of their presence and complicate the identification of malicious activity by blending it in with harmless, everyday traffic.

In February of this year, the United States government initiated measures to decommission a portion of the MooBot botnet, which used Ubiquiti EdgeRouters as its main internet-facing device in addition to other internet-facing gadgets including Raspberry Pi and VPS servers. According to the researchers, they saw the routers being used for a variety of activities, including spear phishing emails, cryptocurrency mining, employing server message block (SMB) reflectors in NTLMv2 hash relay attacks, Secure Shell (SSH) brute forcing, and pharmaceutical spam.

Another threat actor has also targeted Ubiquiti routers, infecting them with malware known as Ngioweb. These devices are subsequently deployed as exit nodes in a home proxy botnet that is sold commercially. The results also highlight how several malware families were used to ensnare the routers and force them into a network under threat actors' control, so transforming them into hidden listening posts that could see all network activity.

Internet routers continue to be a popular target for threat actors to compromise because they frequently have lesser security monitoring, laxer password policies, are not updated frequently, and may use powerful operating systems that enable the installation of malware, including web servers, proxies, malicious scripts, cryptocurrency miners, and distributed denial of service (DDoS) malware.

Impact

• Denial of Service
• Unauthorized Access
• Remote Code Execution
• Sensitive Data Theft

Indicators of Compromise

IP

• 94.228.168.60

MD5

• dec08165d1c46622e70d3a15e8bd6029
• b85a47d2492497e2bf78608c80978ba9
• 0cd08a7b8c12b5c0effed00f48a7df9b
• 65528e0e1492411f5b5c96c9210abd9b
• 154c92fe21a8858ceceb2d3e438e103f
• 7a17a66d8cbcaf9dfcc293a9d4bcd857
• a589c38a2f156302c441cb56987c5479
• bbdb76cce040da000c90e426d65c41e5
• 8f4a8ac9a41f6e1f8f598512943ee691

• 0f5008ebdd8077e397817f67ea4315ea

SHA-256

• 712d9abe8fbdff71642a4d377ef920d66338d73388bfee542f657f2e916e219c
• d7367d41d19baa4f1022f8eb47f7ff1e13f583265c7c26ab96d5f716fa0d61ee
• fdf6dae772f7003d0b7cdc55e047434dbd089e0dc7664a3fae8ccfd9d10ece8c
• aa9e6006bce7d0b4554165dba76e67c4a44d98090c9e6ac9f3dca726f6e9adbf
• fc44018b7432d9e6a1e98f723b0402101fa6e7483d098b10133aac142c0a4a0b
• e7b78f16d0dfc91b4c7e8fd50fc31eba1eb22ec7030af9bf7c551b6019c79333
• 0e6eb17664943756cab434af5d94fcd341f154cb36fc6f1ef5eb5cfdce68975f
• 9af8720766c5f3978718c026c2263801b08634443c93bd67022c56c6ef531ef3
• df71219ba6f5835309479b6e3eaca73b187f509b915420656bfe9a9cc32596c2
• 48130a7c09a5c92e15b3fc0d2e1eb655e0bd8f759e01ba849f7734e32dbc2652

SHA1

• c05f755dac3a6d8954ac9295a88509a6da003d1a
• 4956ed591a4929a0988fb2e66898c9dbd014bc3f
• 285d450027bf8b46eef221ab6927bc959489b08f
• 998c4465175e6b95b1d0bd0cb69eb3d29b4e763f
• f6811f6845d8af402b218cfa3ae9e7afb71f121b
• a90883d3cdfaf555ee0fcca2dff78c97e03ea386
• e94bf6eb04f2c023a08d160b23cac42fbdd816c1
• 378a0f405e3115400c06b36d499e202993ad9eab
• 2a19574c0125d41f0d2efff6d93ec29ab12f07b4
• b1647a0799182a755ea5205677e907c541f8c736

Affected Vendors

Remediation

• Refer to D-Link Security Advisory for patch, upgrade, or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Organizations must test their assets for the aforementioned vulnerabilities and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.