To perform an after-action review (AAR) of Mēris, it’s necessary to look back to when CVE-2018-14847 was first identified in 2018. For three years, this vulnerability enabled adversaries to stealthily compromise MikroTik routers. Those efforts kicked into high gear in June 2021, coinciding with an increase in brute-forcing activity on our honeypot network, as reported in our 1H 2021 Threat Intelligence report. This vulnerability allows attackers to steal unencrypted usernames and passwords of a device after exploitation. As such, system updates failed to mitigate the problem because attackers could still access it via stolen credentials.
The MikroTik platform enabled a retooling of malware, giving attackers access to a much higher level of bandwidth thanks to enterprise deployments of MikroTik devices. It also enabled adversaries to utilize more direct-path DDoS attacks and application-layer attacks.
Mēris Botnet Snapshot
Mēris Scanning Details
Mēris nodes continue to bombard our global honeypot with brute-force attempts on RDP, SSH, and Telnet, coinciding with exploitation attempts directly related to the MikroTik router vulnerability.
Mēris Credential Set
The 1H 2021 Threat Intelligence report highlights a series of MikroTik-specific credential sets that appeared around the time an increase in exploitation of MikroTik routers using CVE-2018-14847 took place. In addition to MikroTik-specific credentials, these username and password combinations were used in an attempt to access our honeypots.
Unlike Mēris, Dvinis-sourced HTTP, and HTTP/S application-layer DDoS attacks don’t appear to make use of HTTP pipelining. However, an apparent typo in the attack generators appends an extra “/” character to the end of the Uniform Resource Identifier (URI) targeted in HTTP POST and GET floods. This mistake enables such activity from Dvinis to be tracked.
Additionally, it appears that most of the observed HTTP and HTTP/S DDoS attacks sourced from Dvinis are initiated by an external attack harness and then relayed via the SOCKS4/5 proxy subsystem that’s built into compromised MikroTik routers. The HTTP X-Forwarded-For field in captured attack packets includes the source IP addresses of the actual attack infrastructure being used to generate these attacks.
Dvinis Botnet Snapshot
Dvinis Scanning Details
As with Mēris, the botted nodes of Dvinis try to propagate across Telnet, SSH, and RDP. Given the massive increase of Dvinis-compromised devices since this activity began, it’s clear that spreading attempts have scaled with the increase.
Dvinis Credential Set
Attackers intent on wreaking havoc use GitLab servers to launch terabit-level attacks with incredible throughput. The CVE-2021-22205 vulnerability that was patched in April 2021 allowed botnet commanders to exploit unpatched GitLab servers with a variant of Mirai and the Gitpaste-12 bot, so named by Juniper Networks because it has access to GitLab servers and 12 DDoS attack modules. A report from The Record revealed an attack in the terabit range thus far, and ASERT believes it‘s only the beginning of bot masters refocusing attention on server-class devices to host their bot code.
To track the size of this botnet, we examined open ports on GitLab servers (TCP 9418, 80, and 443) and scanned to verify the number of servers. We then correlated the identified servers to our global DDoS attack sensor network to see which had participated in DDoS attacks against our customers in order to ascertain the botnet’s level of activity and impact.
GitMirai Botnet Snapshot