Botnet: Hacked MikroTik routers are used to spread malware

About 13,000 MikroTik routers were hacked and used to create a botnet that distributes malware and performs other illegal activitiesAccording to cybersecurity company Infoblox. The malicious campaign was discovered in November 2024.

According to the report published last week, those responsible for the action took advantage of “misconfigured DNS records” on devices produced by the Latvia-based company and sent malicious emails that appeared to come from the logistics company DHL. Tens of thousands of fake messages were sent.

The messages encouraged recipients to download a ZIP file; Trojan horse linked to previous activities of Russian cybercriminals. By silently installing the malware, attackers were able to access compromised devices remotely.

Security researchers also identified 20,000 domains involved in sending spoofed emails that may have used the names of other companies. They believe the botnet of hacked MikroTik routers is being used for further activities such as denial of service (DDoS) attacks, phishing campaigns, and data theft.

old fault

According to the cybersecurity company, Various firmware versions of MikroTik routers were affected by this issueLike those vulnerable to the CVE-2023-30799 flaw. The flaw, discovered in 2023, exposed more than 500,000 devices to malicious actions.

This critical privilege escalation vulnerability allows arbitrary code execution, allowing the attacker to gain full access to the compromised device. Its exploitation relies on authentication, exploiting the equipment’s lack of protection against password brute force attacks, according to a report at the time.

The researchers responsible for the discovery recommend that MikroTik router owners keep their devices updated to the latest firmware. Another suggestion they gave is Change default account credentials to make unauthorized access attempts more difficult.