The most popular brand of router in Russia, MikroTek, has been compromised by cybercriminals with links to Russia in order to send spoofed emails and deliver trojan malware. Infoblox researchers have discovered a large-scale botnet operation that turns misconfigured routers into zombie botnets, with at least 13,000 compromised routers acting as proxies for the malware.
The hackers chose servers with DNS misconfigurations, then spoofed spam using a massive network of relays – this being the 13,000 compromised routers configured as SOCKS proxies. When a compromised proxy forwards traffic without checking the origin, the recipient can’t check to see if it’s coming from an original source so malicious emails seem to originate from legitimate domains and are able to bypass protections.
When email domain settings are configured correctly, a user sends an email and the receiving mail server checks the Sender Policy Framework (SPF) record to verify that the message is coming from an authorized server. If the email fails this check, it’s likely to be marked as spam or rejected, explains researchers at Infoblox.
A misconfiguration in the SPF allowed threat actors to place a script onto the devices to allow them to operate as TCP redirectors. “Enabling SOCKS effectively turns each device into a proxy, masking the true origin of malicious traffic and making it harder to trace back to the source.” The malware emails contained fake invoices and included a zip file containing a malicious payload; the attached trojan communicated to a command and control server that was previously related to suspicious Russian activity.
The malicious emails are designed to look like legitimate domains but can also be used for many other nefarious purposes – more concerning is that because the botnet lacks authentication, the entire botnet or the individual devices are all open for exploitation from other hackers or threat actors.
It is not clear at this time how the routers themselves were compromised, and though critical vulnerabilities have been identified in the past, recent firmware releases may have also contributed to the misconfigurations. In total, it is thought that the campaign may involve as many as 20,000 sender domains (web servers’ names). For scale, the Tor network uses around 8,000 relays making this botnet more than 1.5 times larger.
Infoblox threat researcher David Brunsdon said that “Together, they form a large cannon, poised and ready to unleash a barrage of malicious activities.” And the Infoblox report details that “Tens or hundreds of thousands of compromised machines use them for network access, significantly amplifying the potential scale and impact of the botnet’s operations.”
Similar botnets have participated in a wide range of malicious behavior including DDoS attacks, spam and phishing campaigns, credential stuffing attacks, data theft, cryptojacking, click fraud and more.
How to stay safe
Obviously the first step to staying safe is to make sure your router is properly configured, and kept up to date. If it's on the older side, you might be better off just upgrading to one of the best Wi-Fi routers as many newer devices ship with built-in security software.
Never open email attachments that you're not expecting or ones that come from a sender that you don't know. This also applies to links in emails too.
As an added step, make sure you have a strong, robust antivirus software installed on your home PC and laptop. It's never a bad idea to make sure that your antivirus suite includes a VPN and a hardened browser too.
