A sophisticated botnet comprising 13,000 MikroTik devices is leveraging domain name system (DNS) misconfigurations to circumvent email security measures and disseminate malware. The perpetrators exploit weaknesses in the Sender Policy Framework (SPF) of roughly 20,000 web domains to achieve this.

Exploiting SPF Misconfiguration

Security experts at Infoblox have identified a malspam campaign, active in late November 2024, exploiting misconfigured SPF DNS records. The attackers used these vulnerabilities to deliver emails mimicking reputed companies like DHL Express. These emails contained deceptive freight invoices with ZIP files that unleashed malicious payloads. The ZIP file enclosed a JavaScript file that executed a PowerShell script, establishing a connection with a command and control (C2) server linked to Russian cybercriminals. Infoblox noted, "The spam emails' headers unveiled a large network of about 13,000 hacked MikroTik devices, forming a significant botnet." A critical flaw was found in the SPF DNS records of around 20,000 domains, configured with the permissive "+all" option. This setting inadvertently permits any server to send emails for these domains, negating the SPF's intended purpose to prevent unauthorized email spoofing. The safer "-all" option restricts email sending to sanctioned servers.

Botnet Operation Overview

Infoblox observed various versions of MikroTik firmware impacted, although the exact compromise pathway remains undetermined. These routers are often targeted for botnet creation due to their potency, as seen in previous massive denial-of-service (DDoS) attacks. A notable incident involved OVHcloud, where a MikroTik-based botnet achieved unprecedented attack levels. Despite advisories to update systems, many MikroTik devices remain outdated, due to users' slow patching practices. This botnet uses the compromised devices as SOCKS4 proxies, facilitating DDoS attacks, phishing, and data exfiltration while obscuring the origin of malicious traffic. According to Infoblox, "The configuration as SOCKS proxies allows tens of thousands of machines to utilize these routers, amplifying the botnet’s reach and impact."

Security Recommendations

Owners of MikroTik devices are urged to update their firmware, secure the admin credentials, and disable unnecessary remote panel access to mitigate risks.

The link has been copied!