In recent cybersecurity news, Infoblox Threat Intel discovered a botnet compromising 13,000 MikroTik devices! The botnet exploited vulnerabilities in SPF DNS record configurations to bypass email defenses. Following the exploitation, the botnet spoofed around 20,000 web domains to spread malware.
Key Takeaways
- A Botnet compromised thousands of MikroTik devices to launch malspam campaigns.
- The exploitation occurred as a result of permissive SPF configurations used by several domains.
- The result was a widespread spoofing attack, carrying malware-laden attachments.
- Key lessons learnt include avoiding permissive SPF configurations, checking DNS records regularly, and using Hosted SPF services with Macros.
Why Botnets Are a Persistent Threat
Botnets are a network of compromised devices manipulated and controlled by threat actors, remotely. Botnets have been a persistent threat to cybersecurity for ages. They have a widely distributed nature, making them an easy vector for spreading large-scale malicious activities.
Botnets have been responsible for the following in the past:
- Distributed Denial of Service (DDoS Attacks), to overwhelm a target’s network and crash services or distract defenders.
- Spam and Phishing Campaigns, flood inboxes with malicious emails to steal sensitive information or spread malware.
- Credential Stuffing to automate login attempts with stolen credentials.
- Data Theft that extracts personal or corporate data for profit or further attacks.
- Cryptojacking, is hijacking device resources to mine cryptocurrency.
- Proxy Networks and Click Fraud, the act of obscuring attacker locations and defrauding advertisers.
In the recent malware spam campaign discovered by Infoblox, botnets utilized more than 13,000 compromised MikroTik routers. This is a growing concern for the cybersecurity industry.
Anatomy of the Malware Campaign
Freight Invoice Spam
In late November 2024, the onset of the campaign started as Infoblox discovered an invoice spam campaign. Spam emails were sent, impersonating DHL shipping invoices, with ZIP files containing malicious JavaScript payloads. The ZIP attachments had consistent naming conventions like:
- Invoice (2–3-digit number).zip
- Tracking (2–3-digit number).zip
Payload Analysis
The ZIP files, aka JavaScript files, executed Powershell scripts. These connected to a malware command and control (C2) server that was hosted at a suspicious IP address. The IP address had a history of prior malicious activities on the web. The botnet thereby created a network that initiated a chain of trojan malware distribution.
How Were MikroTik Routers Compromised?
According to Infoblox’s investigation, more than 13,000 MikroTik routers were hijacked by the botnet. These routers were configured as SOCKS proxies. This masked their origin, making them unidentifiable.
MikroTik routers were an easy target for the botnet due to their inherent critical vulnerabilities:
- The routers have a remote code execution flaw which is easily exploitable with authenticated access.
- Deployment of SOCK proxies enabled the threat actors to hide their original identities.
- Several devices were shipped with default “admin” accounts, containing blank passwords.
Role of SPF Misconfigurations in Enabling The Malspam Campaign
Receiving mail servers authenticate the legitimacy of email senders through DNS TXT records. SPF or Sender Policy Framework record is one such example. However, permissive SPF records in thousands of sending domains provided the loophole attackers needed to bypass authentication checks.
Example of Misconfigured SPF Records
An example of a non-permissive SPF record is as follows:
v=spf1 include:example.domain.com -all
This above example allows only specified servers to send emails on behalf of a domain. Domains that are not explicitly authorized will fail SPF.
An example of a permissive SPF record is as follows:
v=spf1 include:example.domain.com +all
The above example allows any server to send emails on behalf of a domain, enabling spoofing and impersonation. Infloblox identified the usage of permissive SPF configurations like these to launch the malicious campaigns.
Checking SPF Configurations To Prevent Exploitation
You can check your domain’s SPF configurations using either of the following methods:
Manual Lookups
Domain owners can lookup SPF records using NSlookup or Dig commands:
- On Linux/MacOS: dig +short txt example.com | grep spf
- On Windows: nslookup -type=txt example.com | Select-String -Pattern “spf”
Automatic Lookups
A simpler way to check your SPF DNS configurations is by using PowerDMARC’s SPF checker tool.
- Enter your domain name in the toolbox (e.g. domain.com)
- Hit the “Lookup” button
- Review your results
It’s that easy! This is a hassle-free and instant way to check SPF without running a Powershell script or command and requires no technical knowledge.
Endnote: Lessons Learned
The botnet’s ability to exploit DNS vulnerabilities launching sophisticated spoofing attacks highlight the need for following email security best practices:
- Domain owners must regularly audit DNS records to ensure proper SPF, DKIM, and DMARC configurations.
- Domain owners must refrain from using overly permissive SPF or DMARC policies for long periods of time.
- Remove or secure default admin accounts on devices.
- Enable DMARC reporting to monitor email traffic and detect unauthorized access.
- Most importantly, use SPF Macros optimization services like Hosted SPF to fix SPF errors and weaknesses, and comply with SPF DNS lookup limitations easily.
The discovery of MikroTik botnet exploits is a testament to the rising concern of sophisticated cyber attacks. To stay protected, businesses must update their security stack to pave the way for modern, AI-backed cybersecurity technologies. This will allow them to navigate the threat landscape seamlessly while staying unharmed.
- Yahoo Japan Enforces DMARC Adoption for Users in 2025 - January 17, 2025
- MikroTik Botnet Exploits SPF Misconfigurations to Spread Malware - January 17, 2025
- DMARC Unauthenticated Mail is Prohibited [SOLVED] - January 14, 2025