Jump to content
  • Over 200,000 MicroTik Routers Worldwide Are Under the Control of Botnet Malware

    aum

    • 1 comment
    • 403 views
    • 3 minutes
     Share


    • 1 comment
    • 403 views
    • 3 minutes

    Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.

     

    According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server.

     

    "The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what's now called the Mēris botnet.

     

    The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were sinkholed in late September 2021.

     

    "The CVE-2018-14847 vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for, allowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a service," Hron said.

     

    In attack chain observed by Avast in July 2021, vulnerable MikroTik routers were targeted to retrieve the first-stage payload from a domain named bestony[.]club, which was then used to fetch additional scripts from a second domain "globalmoby[.]xyz."

     

    Interesting enough, both the domains were linked to the same IP address: 116.202.93[.]14, leading to the discovery of seven more domains that were actively used in attacks, one of which (tik.anyget[.]ru) was used to serve Glupteba malware samples to targeted hosts.

     

    "When requesting the URL https://tik.anyget[.]ru I was redirected to the https://routers.rip/site/login domain (which is again hidden by the Cloudflare proxy)," Hron said. "This is a control panel for the orchestration of enslaved MikroTik routers," with the page displaying a live counter of devices connected into the botnet.

     

    But after details of the Mēris botnet entered public domain in early September 2021, the C2 server is said to have abruptly stopped serving scripts before disappearing completely.

     

    The disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service.

     

    In light of these attacks, it's recommended that users update their routers with the latest security patches, set up a strong router password, and disable the router's administration interface from the public side.

     

    "It also shows, what is quite obvious for some time already, that IoT devices are being heavily targeted not just to run malware on them, which is hard to write and spread massively considering all the different architectures and OS versions, but to simply use their legal and built-in capabilities to set them up as proxies," Hron said. "This is done to either anonymize the attacker's traces or to serve as a DDoS amplification tool."

     

    Source

    • Like 2
    • Thanks 1

    User Feedback

    Recommended Comments

    Just shows how many people aren't capable of following even the simplest security protocols. I use MT devices and this vulnerability was addressed in 2018, but devices that had their logins compromised can't be 'saved' just by upgrading the firmware. They need the login credentials changing too. After four years... they are still compromised because people can't change passwords.

    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...