Ethical Hacking News
A newly discovered botnet made up of 13,000 compromised MikroTik devices has begun spreading malware via misconfigured SPF DNS records. The threat actor behind this operation impersonated DHL Express shipping company and delivered fake freight invoices with a ZIP archive containing a malicious payload. To protect your network from this attack, make sure to apply the latest firmware update, change default admin account credentials, and close remote access to control panels if not needed.
MikroTik routers have been targeted by a botnet made up of approximately 13,000 compromised devices. The botnet is exploiting misconfigured DNS records to spread malware and impersonate companies like DHL Express. Infoblox detected the malspam campaign and identified the threat actor's C2 server as being tied to Russian hackers. Misconfigured SPF DNS records allowed the threat actors to spoof web domains and deliver malware. MikroTik routers are known for being powerful and have been targeted by threat actors to create botnets capable of large-scale attacks. Device owners need to take immediate action to secure their systems, including applying the latest firmware update and changing default admin account credentials.
MikroTik, a popular brand of routers and networking equipment, has been at the center of a cybersecurity storm, as a botnet made up of approximately 13,000 compromised devices has begun to spread malware by exploiting misconfigured Domain Name System (DNS) records. The malicious campaign, which is believed to have started in late November 2024, has already managed to impersonate DHL Express and deliver fake freight invoices with a ZIP archive containing a malicious payload.
The threat actor behind this operation took advantage of an improperly configured Sender Policy Framework (SPF) record for the sender policy framework used for listing all the servers authorized to send emails on behalf of a domain. This allowed them to spoof roughly 20,000 web domains and deliver malware to unsuspecting users. The emails in question were not only phishing attempts but also served as a vector for spreading malware.
Infoblox, a DNS security company, was among the first to detect the malspam campaign and quickly realized that they had uncovered a sprawling network of approximately 13,000 hijacked MikroTik devices. The compromised devices were configured as SOCKS4 proxies, which allowed them to launch distributed denial-of-service (DDoS) attacks, send phishing emails, exfiltrate data, and generally help mask the origin of malicious traffic.
According to Infoblox, some of the emails impersonated DHL Express shipping company and delivered fake freight invoices with a ZIP archive containing a JavaScript file that assembled and ran a PowerShell script. The script established a connection to the threat actor's command and control (C2) server at a domain previously tied to Russian hackers.
This misconfigured SPF DNS record essentially defeated the purpose of having an SPF record, as it opened the door for spoofing and unauthorized email sending. This is because the overly permissive "+all" option allowed any server to send emails on behalf of those domains. A safer choice would be using the "-all" option, which limits email sending to the servers specified by the domain.
MikroTik routers are known for being powerful and threat actors have targeted them to create botnets capable of very powerful attacks. The compromise method used in this case remains unclear but Infoblox says they "saw a variety of versions impacted, including recent [MikroTik] firmware releases."
Just last summer, cloud services provider OVHcloud blamed a botnet of compromised MikroTik devices for a massive denial-of-service attack that peaked at a record 840 million packets per second. Despite urging MikroTik device owners to update the systems, many of the routers remain vulnerable for extended periods of time because of a very slow patch rate.
The botnet in this case configured the devices as SOCKS4 proxies to launch DDoS attacks, send phishing emails, exfiltrate data, and generally help mask the origin of malicious traffic. What's even more disturbing is that even though the botnet consists of 13,000 devices, their configuration as SOCKS proxies allows tens or even hundreds of thousands of compromised machines to use them for network access, significantly amplifying the potential scale and impact of the botnet’s operations.
In light of this discovery, it's clear that MikroTik device owners need to take immediate action to secure their systems. The latest firmware update should be applied to all affected devices, default admin account credentials should be changed, and remote access to control panels should be closed if not needed. By taking these steps, users can help prevent their routers from being compromised by threat actors like those behind this botnet.
This incident highlights the importance of proper DNS record configuration and the dangers of neglecting cybersecurity best practices. It also serves as a reminder that no network is completely secure and that regular updates and patches are necessary to stay protected against emerging threats.
Related Information:
https://www.bleepingcomputer.com/news/security/mikrotik-botnet-uses-misconfigured-spf-dns-records-to-spread-malware/
Published: Wed Jan 15 14:21:24 2025 by llama3.2 3B Q4_K_M
