A large-scale cyberattack has compromised around 13,000 MikroTik routers, forming a global botnet used to spread malware through spam email campaigns. This cybercrime activity, dubbed Mikro Typo by Infoblox security researchers, exploits security loopholes in MikroTik devices, bypassing standard email protection measures to deliver malicious payloads. Here’s everything you need to know about this new threat.
What Is the Mikro Typo Campaign?
The Mikro Typo campaign uses a botnet of hijacked MikroTik routers to send out spam emails that appear to come from legitimate domains. These emails are designed to deceive recipients into opening malicious attachments, often in the form of ZIP files containing obfuscated JavaScript. The payload is then used to launch a PowerShell script, which establishes a connection to a command-and-control (C2) server.
The attackers have been leveraging misconfigured DNS records to bypass email security protocols, taking advantage of weak configurations in the sender policy framework (SPF) TXT records of around 20,000 domains. This vulnerability makes it easier for attackers to send emails on behalf of legitimate domains, increasing the chances of their malicious emails being opened.
How Did the MikroTik Routers Get Compromised?
Although the exact method of infiltration is still unknown, some of the affected MikroTik routers were running vulnerable firmware versions. Notably, CVE-2023-30799, a critical privilege escalation vulnerability, could have been exploited to gain unauthorized access and execute arbitrary code on the devices.
Once compromised, the routers were configured to enable SOCKS (Secure Sockets) proxies. This turned the routers into proxies for malicious traffic, making it harder to trace the origin of cyberattacks. Importantly, there is no authentication required to use these proxies, leaving the routers vulnerable to further exploitation by other cybercriminals.
The Impact of SOCKS Proxies and Misconfigured SPF Records
The use of SOCKS proxies complicates the detection of malicious activities, as it masks the true source of the traffic. This makes it difficult for security teams to identify and mitigate the attack. Moreover, the misconfigured SPF records, with the permissive “+all” option, defeat the purpose of SPF protections, allowing attackers to send emails from legitimate domains. This increases the likelihood that their malspam campaigns will be successful.
What Are the Risks to Organizations and Users?
The hijacked MikroTik routers have the potential to launch a wide range of malicious activities, including Distributed Denial-of-Service (DDoS) attacks, data theft, and phishing campaigns. The ability to bypass email security protocols gives cybercriminals a significant advantage in spreading their malware to a large number of targets.
In addition to malspam, compromised routers could be used in larger-scale cyberattacks, including ransomware distribution, as part of the botnet. The SOCKS proxies further complicate detection, making it even more challenging to trace and stop the attack.
How to Protect Your MikroTik Router and Network
If you are using a MikroTik router, it is crucial to take immediate steps to protect your device from exploitation:
- Update Your Firmware: Ensure your MikroTik router is running the latest firmware to protect against known vulnerabilities like CVE-2023-30799.
- Change Default Credentials: Many routers come with default usernames and passwords that are easy for attackers to guess. Change these to strong, unique credentials.
- Review DNS Settings: Double-check your DNS and SPF records to ensure they are configured properly. Avoid using overly permissive settings that could allow unauthorized senders to spoof your domain.
- Monitor Network Activity: Regularly monitor your network for unusual traffic patterns or activity that might indicate a compromise.
- Enable Two-Factor Authentication: If available, enable two-factor authentication (2FA) for accessing your router’s admin interface.
Conclusion
The hijacking of 13,000 MikroTik routers for malspam and cyberattacks is a reminder of the critical importance of securing IoT devices and network equipment. By taking proactive steps such as updating firmware, changing default passwords, and reviewing DNS configurations, you can protect your MikroTik router from being exploited by cybercriminals. The use of SOCKS proxies and misconfigured SPF records further highlights the need for robust security measures to safeguard your network from evolving cyber threats.