Cyber security news for all

More

    13,000 MikroTik Routers Compromised to Power Malspam Botnet and Cyber Offensives

    An expansive network comprising approximately 13,000 commandeered MikroTik routers has been repurposed into a botnet, orchestrated to disseminate malware through spam-driven campaigns—marking the latest addition to a series of malicious botnets exploiting MikroTik devices.

    The scheme leverages “misconfigured DNS records to circumvent email protection mechanisms,” according to a detailed report published last week by Infoblox security researcher David Brunsdon. “This botnet capitalizes on a global array of MikroTik routers to dispatch deceptive emails masquerading as authentic communications from legitimate domains.”

    Dubbed Mikro Typo, the operation was unearthed following the identification of a malspam initiative in late November 2024. This campaign utilized freight invoice-themed lures to entice unsuspecting recipients into extracting and executing a ZIP archive payload.

    Within the ZIP archive resides an obfuscated JavaScript file, which initiates a PowerShell script designed to establish an outbound connection to a command-and-control (C2) server housed at IP address 62.133.60[.]137.

    Although the exact mechanism through which the routers were initially infiltrated remains elusive, multiple firmware versions—some susceptible to CVE-2023-30799—have been implicated. This critical privilege escalation flaw can be weaponized to achieve arbitrary code execution.

    “Regardless of the initial compromise vector, the adversaries appear to have embedded a script into the MikroTik devices, enabling SOCKS (Secure Sockets) functionality. This transforms the devices into TCP redirectors,” explained Brunsdon.

    “Activating SOCKS essentially metamorphoses each router into a proxy, obfuscating the genuine origin of malicious traffic and complicating attribution efforts.”

    Adding to the gravity of the situation is the absence of authentication protocols for these proxies, rendering them vulnerable to exploitation by other malicious entities. This lack of safeguards facilitates a variety of cyber offensives, including distributed denial-of-service (DDoS) attacks and phishing operations.

    The malspam endeavor exploits misconfigurations within the sender policy framework (SPF) TXT records of 20,000 domains. This vulnerability enables adversaries to send spoofed emails that appear to originate from these domains, thereby bypassing established email security measures.

    The exploitation hinges on SPF records configured with the overly permissive “+all” directive, which fundamentally nullifies the intended protective function. Consequently, compromised MikroTik routers can impersonate legitimate domains in outbound email communications.

    Owners of MikroTik devices are urged to fortify their defenses by updating router firmware and modifying default account credentials to mitigate potential breaches.

    “The sheer volume of compromised MikroTik routers enables this botnet to execute an extensive array of nefarious activities, spanning from DDoS assaults to data exfiltration and phishing campaigns,” Brunsdon remarked. “The integration of SOCKS4 proxies exacerbates detection and remediation challenges, underscoring the imperative for robust cybersecurity measures.”

    Recent Articles

    Related Stories