[TheRecord] Russian security firm sinkholes part of the dangerous Meris DDoS botnet

Rostelecom-Solar, the cybersecurity division of Russian telecom giant Rostelecom, said on Monday that it sinkholed a part of the Meris DDoS botnet after identifying a mistake from the malware’s creators.

First spotted earlier this year, the Meris botnet is currently the largest DDoS botnet on the internet, with an estimated size of around 250,000 infected systems.

For the past few months, the botnet has been abused by a threat actor that has engaged in DDoS extortion attacks against internet service providers and financial entities across several countries, such as Russiathe UKthe US, and New Zealand.

The attacks have been brutal, with companies often going offline overwhelmed by the botnet’s sheer power. As part of this ferocious campaign, Meris broke the record for the largest volumetric DDoS attack twice this year, once in June and then again in September.

Internet infrastructure firms like Cloudflare and Qrator Labs have analyzed the botnet following attacks on their customers and found that the vast majority of infected systems have been MikroTik networking equipment like routers, switches, and access points.

In a blog post last week, MikroTik said the attackers abused an old vulnerability (CVE-2018-14847) in its RouterOS to assemble their botnet using devices that haven’t been updated by their owners.

Meris botnet operators make a mistake

But in research published on Monday, Rostelecom-Solar said that during routine analysis of this new threat, which has also been attacking some of its customers, its engineers found that some infected routers were reaching out and asking for new instructions from an unregistered domain at cosmosentry[.]com.

Seizing the operator’s mistake, Rostelecom-Solar engineers said they registered this domain and converted it into a “sinkhole.”

After days of tracking, researchers said they received pings from around 45,000 infected MikroTik devices, a number estimated to be around a fifth of the botnet’s entire size.

“Unfortunately, we cannot take any active actions with devices under our control (we do not have the authority to do this),” the company said this week.

“At the moment, about 45,000 MikroTik devices turn to us as a sinkhole domain.”

Image: The Record

In case MikroTik router owners detect these suspicious connections to the cosmosentry[.]com, Rostelecom-Solar said they’ve set up a placeholder message informing them of who owns the domain and why their router is making the connection.

The Glupteba connection

Furthermore, researchers said they also identified clues in the Meris malware code that also provided an insight into how this botnet had been assembled.

Per the Rostelecom-Solar team, the Meris botnet appears to have been assembled via Glupteba, a malware strain targeting Windows computers, typically used as a loader for various other malware strains.

Researchers pointed to two 2020 reports from cyber-security firms Sophos [PDF] and Trend Micro, both of which documented a new Glupteba module at the time that was specialized in attacking MikroTik routers found on companies’ internal networks via the CVE-2018-14847 vulnerability.

Similarities in the Meris code and the fact that many routers which pinged Rostelecom’s sinkhole using internal IPs confirmed the company’s theory that Meris was fully or partially assembled via the Glupteba malware.

However, it is currently unclear if the Glupteba gang built the Meris botnet themselves or if another group rented access to Glupteba-infected hosts to deploy the MikroTik module that eventually led to Meris’ creation.

Rostelecom-Solar said it notified authorities about their findings. The report was shared with the National Coordination Center for Computer Incidents (NKTsKI), a CERT-like organization created by the Russian Federal Security Service (FSB) in 2018.

The post Russian security firm sinkholes part of the dangerous Meris DDoS botnet appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] Podcast: 67% of Orgs Have Been Hit by Ransomware at Least Once

All posts, ThreatPost

Fortinet’s Derek Manky discusses a recent global survey showing that two-thirds of organizations suffered at least one ransomware attack, while half were hit multiple times. Source: Read More (Threatpost)

Read More

[HackerNews] Feds Secretly Ran a Fake Encrypted Chat App and Busted Over 800 Criminals

All posts, HackerNews

In a huge sting operation, the U.S. Federal Bureau of Investigation (FBI) and Australian Federal Police (AFP) ran an “encrypted chat” service called ANoM for almost 3 years to intercept 27 million messages between criminal gang members globally. Dubbed Operation Ironside (AFP), Operation Greenlight (Europol), and Operation Trojan Shield (FBI), the long-term covert probe into transnational and Source: Read More (The Hacker News)

Read More

[SANS ISC] Microsoft Out of Band Update Resolves Kerberos Issue, (Mon, Nov 15th)

All posts, Sans-ISC

Since Patch Tuesday, we’ve been tracking a Kerboros issue in November’s patch bundle that affected authentication in several deployment scenarios: Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD) Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO) Active Directory Federated Services (ADFS) Microsoft SQL Server […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.