Routers from the Latvian manufacturer MikroTik for use at home or in small businesses make up the majority of the bot army of the DDoS botnet Mēris, which has been responsible for gigantic attacks against the cloud service provider Cloudflare and the Russian internet giant Yandex in recent months . Cloudflare reported from an attack with up to 17 million hits per second. The attack on Yandex is said to have been even more violent.
According to analysts at security company Qrator Labs Mēris, a further development of the open source DDoS botnet code from Mirai, consists of up to 250,000 bots. According to the analysis, most of these bots are hijacked routers from MikroTik. Attackers looking for bots for DDoS attacks on the Internet appreciate routers like these, as they are actually always connected to the Internet and, unlike many IoT devices, have hardware that provides significant computing power and memory. “Mēris” is Latvian and means, appropriately, “the plague”.
An old security hole with consequences
Surprisingly, the current attacks seem to go back to hijacked routers, which are vulnerable due to an old security flaw. The vulnerability was secured in March 2018 with firmware version 6.42.1 of the router concerned. In December 2018 it was announced that the routers are still being hijacked en masse. At that time, the devices were mostly compromised by criminals in order to mine crypto money without the knowledge of the owner.
This situation doesn’t seem to have changed very much in the last three years, because MikroTik warns against it againthat the company’s hijacked routers are still under the control of attackers. The manufacturer suspects that the attackers stole access passwords to the affected devices in 2018 and can still access them because the passwords were never changed. Even if the routers were then secured with security updates, the attackers would still have access.
All users should change their passwords
MikroTik recommends users of their devices to change their passwords now and to improve the security of these passwords when the opportunity arises. In addition, all current security updates for the devices should be installed and users should check the configuration of the devices for settings that they have not changed themselves. MikroTik further recommends not to make the web interface of the router accessible from the Internet and only to manage the devices from the local network. If the devices have to be managed remotely, the manufacturer recommends setting up VPN access.
The router manufacturer has discovered Trojans that, as soon as they are installed on a Windows computer by an unsuspecting user, search for MikroTik routers in the local network in order to hijack them. This malware tries to exploit the 2018 security flaw. If this has been patched, however, it seems to resort to cracking any weak admin passwords on the routers.
MikroTik says that they tried to reach their own customers and inform them about the problem, but did not have much success. “Many of our customers have never had contact with MikroTik and are not actively looking after their devices.” They are now working on “other ways” to tackle the problem of the zombie router. The manufacturer does not say exactly what these possibilities are in its communication.