Newly identified botnet targets decade-old flaw in unpatched D-Link devices

Researchers have discovered a new botnet, labeled Goldoon, that exploits a decade-old vulnerability in unpatched D-Link routers.

The flaw — CVE-2015-2051 — “presents a low attack complexity,” but has a critical security impact that can allow intruders to run code remotely on infected hardware, according to a report from cybersecurity firm Fortinet.

“Once attackers successfully exploit this vulnerability, they can incorporate compromised devices into their botnet to launch further attacks,” Fortinet said. The researchers named the botnet after an element called goldoon.server within malware that spreads it. 

Goldoon can record information about the targeted system and is leveraged by hackers to launch distributed denial-of-service (DDoS) attacks — a classic use for botnets.

According to researchers, the botnet’s activity spiked in April, “almost doubling the usual frequency.”

D-Link patched the flaw as part of a firmware update in the first half of 2015.

Unpatched D-Link hardware has drawn attention recently from researchers as well as the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The agency said earlier in April that some older D-Link devices are being exploited by threat actors.

In particular, CISA added CVE-2024-3273 and CVE-2024-3272 to its Known Exploited Vulnerabilities list, giving federal agencies a short window to retire or replace D-Link hardware that in some cases could be a decade old.

Products from other companies can have similar problems. Fortinet previously reported that botnets continue to exploit a year-old vulnerability in unpatched TP-Link internet routers.

Upon the discovery of Goldoon, Fortinet stated that seeing hackers exploit old bugs "reminds us that botnets continue to evolve and exploit as many devices as possible."

Researchers recommended applying patches and updates “whenever possible” because of the ongoing development and introduction of new botnets.