Mirai botnet is back — now as "Meris"
Peace, An undisclosed (or, even, yet undiscovered by the vendor) vulnerability in SOHO Mikrotik routers seems to be exploited by someone. Approx. 328 thousand devices already joined the botnet, with each having unrestricted access to the uplink (up to 1 Gbps). 42,6% of exploited devices reside in the U.S. https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/ I didn't know Mikrotik was so popular in North America! Patching all those SOHO WiFi routers must be fun... -- Töma
Mikrotik is a very popular router in small to medium ISPs, running, well, everything. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Töma Gavrichenkov" <ximaera@gmail.com> To: "NANOG" <nanog@nanog.org> Sent: Thursday, September 9, 2021 4:41:03 AM Subject: Mirai botnet is back — now as "Meris" Peace, An undisclosed (or, even, yet undiscovered by the vendor) vulnerability in SOHO Mikrotik routers seems to be exploited by someone. Approx. 328 thousand devices already joined the botnet, with each having unrestricted access to the uplink (up to 1 Gbps). 42,6% of exploited devices reside in the U.S. https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/ I didn't know Mikrotik was so popular in North America! Patching all those SOHO WiFi routers must be fun... -- Töma
Oof. I wonder if there is any connection to their DDNS service outage a couple days ago? https://forum.mikrotik.com/viewtopic.php?t=178256 *Brandon Svec* On Thu, Sep 9, 2021 at 2:43 AM Töma Gavrichenkov <ximaera@gmail.com> wrote:
Peace,
An undisclosed (or, even, yet undiscovered by the vendor) vulnerability in SOHO Mikrotik routers seems to be exploited by someone. Approx. 328 thousand devices already joined the botnet, with each having unrestricted access to the uplink (up to 1 Gbps). 42,6% of exploited devices reside in the U.S.
https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/
I didn't know Mikrotik was so popular in North America! Patching all those SOHO WiFi routers must be fun...
-- Töma
Peace, On Thu, Sep 9, 2021 at 7:57 PM Brandon Svec via NANOG <nanog@nanog.org> wrote:
Oof. I wonder if there is any connection to their DDNS service outage a couple days ago? https://forum.mikrotik.com/viewtopic.php?t=178256
No, hardly any. That one seems to be just a DNS abuse reporting/delegation issue. ...well, by some wild extension one could imagine that the botnet operator reported some fake issue just to have the vendor's infrastructure blocked. Therefore, IoT vendors that don't enforce security updates on the devices they sell, should expect criminals to go to great lengths to keep their update servers and the infrastructure down once some RCE vulnerabilities are found. But that's a wild extension. -- Töma
No rest for the wired 🙂 ________________________________ From: NANOG <nanog-bounces+mel=beckman.org@nanog.org> on behalf of Töma Gavrichenkov <ximaera@gmail.com> Sent: Thursday, September 9, 2021 10:07 AM To: Brandon Svec <bsvec@teamonesolutions.com> Cc: NANOG <nanog@nanog.org> Subject: Re: Mirai botnet is back — now as "Meris" Peace, On Thu, Sep 9, 2021 at 7:57 PM Brandon Svec via NANOG <nanog@nanog.org> wrote:
Oof. I wonder if there is any connection to their DDNS service outage a couple days ago? https://forum.mikrotik.com/viewtopic.php?t=178256
No, hardly any. That one seems to be just a DNS abuse reporting/delegation issue. ...well, by some wild extension one could imagine that the botnet operator reported some fake issue just to have the vendor's infrastructure blocked. Therefore, IoT vendors that don't enforce security updates on the devices they sell, should expect criminals to go to great lengths to keep their update servers and the infrastructure down once some RCE vulnerabilities are found. But that's a wild extension. -- Töma
participants (4)
-
Brandon Svec -
Mel Beckman -
Mike Hammett -
Töma Gavrichenkov