Last month, FortiGuard Labs observed a new botnet targeting a D-Link vulnerability from close to a decade ago, CVE-2015-2051. This vulnerability allows remote attackers to execute arbitrary commands via a GetDeviceSettings action on the HNAP interface. As a result, an attacker can create a crafted HTTP request with a malicious command embedded in the header.
FortiGuard’s IPS signature captured attempts to exploit the CVE-2015-2051 vulnerability to propagate a new botnet that we have named “Goldoon.” Figure 1. shows the attack packet.
If a targeted device is compromised, attackers can gain complete control, enabling them to extract system information, establish communication with a C2 server, and then use these devices to launch further attacks, such as distributed denial-of-service (DDoS). FortiGuard’s telemetry data also indicates that this botnet activity spiked in April, almost doubling the usual frequency.
Link to full report: IR-24-125-001_Goldoon.docx.pdf
Comments