{"id":41972,"date":"2021-09-16T14:14:51","date_gmt":"2021-09-16T18:14:51","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=41972"},"modified":"2021-09-17T07:22:55","modified_gmt":"2021-09-17T11:22:55","slug":"how-to-protect-mikrotik-from-meris-botnet","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/how-to-protect-mikrotik-from-meris-botnet\/41972\/","title":{"rendered":"Router protection for MikroTik users"},"content":{"rendered":"<p>Recent <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-m-ris-botnet-breaks-ddos-record-with-218-million-rps-attack\/\" target=\"_blank\" rel=\"nofollow noopener\">large-scale DDoS attacks<\/a> using a new botnet called M\u0113ris peaked at almost 22 million requests per second. According to <a href=\"https:\/\/blog.qrator.net\/en\/meris-botnet-climbing-to-the-record_142\/\" target=\"_blank\" rel=\"nofollow noopener\">Qrator research<\/a>, MikroTik\u2019s network devices generated a fair share of the botnet\u2019s traffic.<\/p>\n<p>Having analyzed the situation, MikroTik experts found no new vulnerabilities in the company\u2019s routers; however, old ones may still pose a threat. Therefore, to ensure your router has not joined the M\u0113ris botnet (or any other botnet, for that matter), you need to follow a few recommendations.<\/p>\n<h2>Why MikroTik devices are joining the botnet<\/h2>\n<p>A few years ago, security research discovered a <a href=\"https:\/\/www.kaspersky.ru\/blog\/web-sas-2018-apt-announcement-2\/19874\/\" target=\"_blank\" rel=\"noopener\">vulnerability in MikroTik routers<\/a>: Winbox, a configuration tool for MikroTik routers through which many devices were compromised. Although MikroTik fixed the vulnerability back in 2018, apparently not all users updated their routers.<\/p>\n<p>Furthermore, even among those who did, not everyone followed the manufacturer\u2019s additional password-change recommendations. If a user didn\u2019t change the password, then even updated firmware could let attackers log in to the router and start exploiting it again.<\/p>\n<p>According to <a href=\"https:\/\/blog.mikrotik.com\/security\/meris-botnet.html\" target=\"_blank\" rel=\"nofollow noopener\">MikroTik<\/a>, the routers that are now infected with M\u0113ris are the same devices that were compromised back in 2018. The company has published indicators of device compromise and issued recommendations.<\/p>\n<h2>How to tell if your MikroTik router is part of a botnet<\/h2>\n<p>When a router joins a botnet, cybercriminals change a number of settings in the device firmware. Therefore, MikroTik\u2019s first recommendation is to look at device configuration and check for the following:<\/p>\n<ul>\n<li>A rule that executes the script with the fetch () method. Remove this rule (under System \u2192 Scheduler), if present;<\/li>\n<li>A SOCKS\u00a0proxy server enabled. You\u2019ll find the setting under IP \u2192 SOCKS\u00a0; if you do not use it, disable it;<\/li>\n<li>An L2TP client called lvpn, (or any other L2TP client unfamiliar to you). Delete these clients as well;<\/li>\n<li>A firewall rule that allows remote access through port 5678. Remove this rule.<\/li>\n<\/ul>\n<h2>Recommendations for protecting your MikroTik router<\/h2>\n<p>Regular updates are a crucial part of any successful defense strategy. Much of keeping a MikroTik network safe is following general network security best practices.<\/p>\n<ul>\n<li>Make sure your router is using the latest firmware available, and update it regularly;<\/li>\n<li>Disable remote access to the device unless you absolutely need it;<\/li>\n<li>Configure remote access \u2014 again, if you really need it \u2014 through a VPN channel. For example, use the IPsec protocol;<\/li>\n<li>Use a long and strong management password. Even if your current password is strong, change it now, just in case;<\/li>\n<\/ul>\n<p>In general, proceed under the assumption \u00a0that your local area network is not secure, meaning if one computer gets infected, then the malware can attack the router from inside your perimeter and gain access by brute-forcing passwords. That is why for our part, we strongly recommend using <a href=\"https:\/\/www.kaspersky.com\/small-business-security\/small-office-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksos___\" target=\"_blank\" rel=\"noopener nofollow\">reliable security solutions<\/a> on all Internet-connected computers.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"ksos-generic\">\n","protected":false},"excerpt":{"rendered":"<p>To protect MikroTik routers from the M\u0113ris botnet, or to clean a previously infected router, users should update RouterOS and check settings.<\/p>\n","protected":false},"author":2581,"featured_media":41973,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052,2683,9],"tags":[4226,4225,473,174],"class_list":{"0":"post-41972","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"category-threats","10":"category-tips","11":"tag-advice","12":"tag-mikrotik","13":"tag-routers","14":"tag-wi-fi"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/how-to-protect-mikrotik-from-meris-botnet\/41972\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/how-to-protect-mikrotik-from-meris-botnet\/23303\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/how-to-protect-mikrotik-from-meris-botnet\/18790\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/how-to-protect-mikrotik-from-meris-botnet\/25369\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/how-to-protect-mikrotik-from-meris-botnet\/23450\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/how-to-protect-mikrotik-from-meris-botnet\/22863\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/how-to-protect-mikrotik-from-meris-botnet\/26015\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/how-to-protect-mikrotik-from-meris-botnet\/25566\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/how-to-protect-mikrotik-from-meris-botnet\/31488\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/how-to-protect-mikrotik-from-meris-botnet\/10057\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/how-to-protect-mikrotik-from-meris-botnet\/17634\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/how-to-protect-mikrotik-from-meris-botnet\/18130\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/how-to-protect-mikrotik-from-meris-botnet\/15324\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/how-to-protect-mikrotik-from-meris-botnet\/27379\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/how-to-protect-mikrotik-from-meris-botnet\/31611\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/how-to-protect-mikrotik-from-meris-botnet\/24345\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/how-to-protect-mikrotik-from-meris-botnet\/29689\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/how-to-protect-mikrotik-from-meris-botnet\/29483\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/routers\/","name":"routers"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/41972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=41972"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/41972\/revisions"}],"predecessor-version":[{"id":41976,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/41972\/revisions\/41976"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/41973"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=41972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=41972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=41972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}