Security News > 2022 > March > Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns

"The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what's now called the M?ris botnet.

The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers, enabling the attackers to gain unauthenticated, remote administrative access to any affected device.

In attack chain observed by Avast in July 2021, vulnerable MikroTik routers were targeted to retrieve the first-stage payload from a domain named bestony[.

"This is a control panel for the orchestration of enslaved MikroTik routers," with the page displaying a live counter of devices connected into the botnet.

The disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service.

In light of these attacks, it's recommended that users update their routers with the latest security patches, set up a strong router password, and disable the router's administration interface from the public side.

News URL

https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html