Source: The Hacker News Author: info@thehackernews.com (The Hacker News) URL: https://thehackernews.com/2025/01/13000-mikrotik-routers-hijacked-by.html
-
ONE SENTENCE SUMMARY: A global botnet of 13,000 MikroTik routers exploits misconfigured DNS records and SPF vulnerabilities to propagate malware and conduct cyberattacks.
-
MAIN POINTS:
-
13,000 hijacked MikroTik routers form a global botnet used for malware propagation through spam campaigns.
-
The campaign, dubbed “Mikro Typo,” exploits misconfigured DNS records to bypass email protection techniques.
-
Attackers use freight invoice lures to deliver malicious ZIP files containing obfuscated JavaScript payloads.
-
The botnet leverages a PowerShell script to connect compromised devices to a command-and-control server.
-
Vulnerable MikroTik firmware, including those affected by CVE-2023-30799, facilitates botnet exploitation.
-
SOCKS proxies on compromised routers mask malicious traffic origins, complicating detection and attribution.
-
Misconfigured SPF TXT records with the “+all” option enable attackers to spoof legitimate domains.
-
The botnet supports malicious activities like DDoS attacks, phishing, and data theft.
-
Lack of authentication for proxies allows other threat actors to exploit the botnet infrastructure.
-
MikroTik owners are advised to update firmware and secure accounts to prevent exploitation.
-
TAKEAWAYS:
-
Keeping MikroTik routers updated and secured is critical to mitigating botnet exploitation risks.
-
Misconfigured SPF records with permissive settings can undermine email security safeguards.
-
SOCKS proxies complicate tracking and mitigation of malicious botnet activities.
-
The botnet’s versatility enables a range of threats, from phishing to DDoS attacks.
-
Robust security measures are essential to address vulnerabilities in IoT devices like MikroTik routers.