How MikroTik Routers Became a Cybercriminal Target

The powerful devices leveraged by the Meris botnet have weaknesses that make them easy to exploit, yet complex for organizations to track and secure, researchers said.

The routers leveraged by the Mēris botnet in a massive distributed denial-of-service (DDoS) attack against Russia’s internet giant Yandex have also been the unwitting platform for numerous cyberattacks, researchers have found. This is due to a persistent vulnerable state that’s difficult for organizations to wrangle, but easy for threat actors to exploit, they said.

Researchers from Eclypsium took a deep dive into the feature-rich small office/home office (SOHO) and internet-of-things (IoT) devices from Latvia-based company MikroTik, which number some 2 million in deployments.

Due to the sheer number of devices in use, their high power and numerous known vulnerabilities within them, threat actors have been using MikroTik devices for years as the command center from which to launch numerous attacks, researchers said.

The MikroTik Attack Surface

Eclypsium researchers began exploring the how and why of the weaponization of MikroTik devices in September, based on previous research into how TrickBot threat actors used compromised routers as command-and-control (C2) infrastructure. Eclypsium analysts found that TrickBot also was able to fall back on

Read More: