https://blog.qrator.net/en/meris-botnet ... ecord_142/We do not know precisely what particular vulnerabilities lead to the situation where Mikrotik devices are being compromised on such a large scale. Several records at the Mikrotik forum indicate that its customers experienced hacking attempts on older versions of RouterOS, particularly 6.40.1 from 2017. If this is correct and we see that old vulnerability still being active on thousands of devices being unpatched and unupgraded, this is horrible news. However, our data with Yandex indicates that this is not true – because the spectrum of RouterOS versions we see across this botnet varies from years old to recent. The largest share belongs to the version of firmware previous to the current Stable one.
This is scary - how are devices running 6.48.3 being infected? If there was a weak admin password and no firewall I could understand them being compromised, but the attacker should still be limited to boring things like running proxies and VPNs and whatever other functions exist in RouterOS. A scripted fetch attack also wouldn't generate such high levels of traffic, the fact that they can be used for a DDoS with a HTTP pipelining attack implies that the device has been rooted to run arbitrary code which shouldn't be possible with modern RouterOS versions. Is there a new exploit going around?