MikroTik has published an official statement regarding the Mēris botnet, which is supported, among other things, by equipment from a Latvian manufacturer. The document provides measures to protect against attacks on equipment.

The Mēris botnet was discovered by experts from Qrator Labs and Yandex when the most powerful DDoS attack in history was carried out on the latter’s resources. According to preliminary data, MikroTik equipment was used in the botnet. The Latvian brand conducted its own investigation and found that the attack involved routers compromised in 2018, when a vulnerability in the RouterOS platform was discovered, which was subsequently promptly eliminated.

However, MikroTik noted, just updating the firmware is not enough – if someone got access to the router in 2018, then you still need to change the password. In addition, the manufacturer indicated the need to check the firewall settings and look for scripts that the administrator did not create. The company tried to contact all owners of RouterOS-based devices, however many of them have never been in contact with MikroTik and never paid much attention to device monitoring.

At the moment, the company assured, its products have no vulnerabilities. RouterOS has been audited by several third party contractors. The manufacturer has published a number of recommendations to protect against such attacks.

The device needs to be updated regularly.

Do not open access to the device settings via the Internet. If remote access is still required, it is better to use a VPN service.

The password must be complex and must be changed regularly.

Don’t assume your local network is secure. Malicious software can try to connect to a router if it has a simple password, or it does not exist at all.

It is recommended to inspect the RouterOS configuration for unknown settings.

In collaboration with independent security experts, malware was discovered that tries to change the configuration of a MikroTik device via Windows computers on the network. Therefore, the company strongly recommends using a strong password to access the equipment, do not allow the possibility of logging in without a password, and do not use simple passwords that can be picked from a dictionary. The manufacturer also gave advice on auditing the configuration.