Mēris Bot infects MikroTik routers compromised in 2018

Latvian vendor MikroTik revealed that recently discovered Mēris botnet is targeting devices that were compromised three years ago.

Last week, the Russian Internet giant Yandex has been targeting by the largest DDoS attack in the history of Runet, the Russian Internet designed to be independent of the world wide web and ensure the resilience of the country to an internet shutdown.

The DDoS attack was launched by a new DDoS botnet tracked as Mēris (Latvian word for ‘plague’), it peaked at the unprecedented rate of 21.8 million requests per second.

According to a joint investigation conducted by Yandex and Qrator Labs, the Mēris botnet is composed of approximately more than 200,000 devices.

According to the experts, most of the devices composing the botnet are MikroTik routers running various versions of RouterOS. The network equipment maker MikroTik revealed that the routers were previously compromised in 2018. The vendor explained that the devices haven’t been properly secured, even if the security patches released by MikroTik at the time were installed.

“As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched.” reads a post published by MikroTik in a forum post.

“Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create. We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.”

The company pointed out that if somebody got users password in 2018, even if the routers have been patched. Users are recommended to change password, re-check their firewall settings to block untrusted remote access and check for suspicious scripts.

The vendor highlighted that the threat actors are not exploiting any undisclosed vulnerability in the devices, the company attempted to notify potentially affected users but many of them have never been in contact with MikroTik and evidently did not properly secured their devices.

The experts also recommend to disable SOCKS and disable all suspicious rules.

“If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you, especially if this configuration APPEARED NOW, RECENTLY, WHILE RUNNING A NEW ROUTEROS RELEASE: Please contact us immediately.” concludes the post.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]