Source: The Hacker News
Author: [email protected] (The Hacker News)
URL: https://thehackernews.com/2025/01/13000-mikrotik-routers-hijacked-by.html
“`markdown
## ONE SENTENCE SUMMARY:
A global botnet of 13,000 MikroTik routers exploits misconfigured DNS records and SPF vulnerabilities to propagate malware and conduct cyberattacks.
## MAIN POINTS:
1. 13,000 hijacked MikroTik routers form a global botnet used for malware propagation through spam campaigns.
2. The campaign, dubbed “Mikro Typo,” exploits misconfigured DNS records to bypass email protection techniques.
3. Attackers use freight invoice lures to deliver malicious ZIP files containing obfuscated JavaScript payloads.
4. The botnet leverages a PowerShell script to connect compromised devices to a command-and-control server.
5. Vulnerable MikroTik firmware, including those affected by CVE-2023-30799, facilitates botnet exploitation.
6. SOCKS proxies on compromised routers mask malicious traffic origins, complicating detection and attribution.
7. Misconfigured SPF TXT records with the “+all” option enable attackers to spoof legitimate domains.
8. The botnet supports malicious activities like DDoS attacks, phishing, and data theft.
9. Lack of authentication for proxies allows other threat actors to exploit the botnet infrastructure.
10. MikroTik owners are advised to update firmware and secure accounts to prevent exploitation.
## TAKEAWAYS:
1. Keeping MikroTik routers updated and secured is critical to mitigating botnet exploitation risks.
2. Misconfigured SPF records with permissive settings can undermine email security safeguards.
3. SOCKS proxies complicate tracking and mitigation of malicious botnet activities.
4. The botnet’s versatility enables a range of threats, from phishing to DDoS attacks.
5. Robust security measures are essential to address vulnerabilities in IoT devices like MikroTik routers.
“`