In November 2024, a network of 13,000 Mikrotik routers was discovered, using a Vulnerability in DNS records to circumvent postal protection and deliver malicious software. Hackers exploited an error in the configuration of SPF records that are responsible for authorizing servers to send emails on behalf of domains.
Infoblox reported about the mailing of malicious emails in which the attackers impersonated senders on behalf of DHL Express. The attachment contained payment requests in a ZIP archive with a malicious JavaScript script. The script executed a PowerShell command to connect with a C2 server.
Approximately 20,000 domains had overly permissive SPF configurations with the “+All” parameter, allowing any server to send emails on behalf of the domain, effectively nullifying protection against spoofing. To prevent such attacks, experts recommend using the “-All” parameter, which restricts email sending to authorized servers only.
Mikrotik (Infoblox) Router Infection Scheme
Although the specific method used to compromise the Mikrotik routers remains undisclosed, Infoblox indicates that devices with various firmware versions, including the latest ones, were impacted. Mikrotik routers are often targeted by hackers due to their capabilities that enable the creation of large botnets.
In this new botnet, infected devices functioned as SOCKS4 proxy servers for conducting phishing emails, DDOS attacks, data theft, and disguising traffic, enabling thousands of compromised machines to obfuscate the origin of malicious activities. Security experts recommend immediate firmware updates, changing default administrator passwords, and disabling remote access to the control panel if not in use.
In the summer of 2024, OVHCLOD reported a DDOS attack with a peak intensity of 840 MPPS orchestrated through the Mikrotik Botnet. Despite advisories to update firmware, the low adoption rate of patches leaves many devices vulnerable for extended periods.