Reading Time: 2 minutes
Yet again KrebsOnSecurity under Meris botnet attack, the cybersecurity website has been often targeted by cybercriminals in the past. The site run by security expert Brian Krebs was attacked on Thursday by Meris botnet.
What is the Meris botnet?
The latest Meris botnet is powered by IoT devices such as PCs, home gadgets such as cameras, VCRs, TVs, and routers. These IoT devices are hijacked to become slave nodes in the botnet network. They are also used to conduct distributed Denial of Service (DDoS) attacks, another of their functions. While in this particular case Meris is composed of a large number of MikroTik routers.
Meris botnet first appeared in late June and is still growing, according to Qrator Labs and Yandex.
Meris might show resemblance to Mirai, a known botnet for taking down large swathes of the internet in 2016, though it may not be the right comparison to make at this point of time according to the experts.
Qrator Labs said, “Some people and organizations already called the botnet “a return of Mirai,” which we do not think to be accurate. Mirai possessed a higher number of compromised devices united under C2C, and it attacked mainly with volumetric traffic.”
The leaked Mirai’s source code suggests it is causing many variants to appear that are still operational.
The current DDoS attack on KrebsOnSecurity was relatively limited compared to the earlier attack on the firm earlier in 2016 by a Mirai operator. The attack was severe as Akamai had to unmoor the domain in light of the potential ramifications for other clients.
According to the security experts, the volume of the junk traffic launched by the botnet was 4 times that of Mirai reaching over two million requests per second. Currently, the domain is protected under Google’s Project Shield.
Meris botnet has been involved in two major attacks this year, which include search engine Yandex last week and on Cloudflare earlier in July clocking in at 17.2 million request-per-second.
In a statement issued by MikroTik noted, the attack seems to have stemmed from a vulnerability patched in RouterOS in 2018, rather than a zero-day or new vulnerability.
The company further added, “Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change [your] password, re-check your firewall [so] it does not allow remote access to unknown parties, and look for scripts that you did not create. We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.”