Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

MikroTik Devices Used in Large Botnet Attack

January 16, 2025
Reading Time: 2 mins read
in Alerts
Critical Cryptojacking Code Found in Kong Ingress Controller Image

A newly discovered botnet, consisting of 13,000 compromised MikroTik devices, is taking advantage of misconfigured domain name server (DNS) records to bypass email security measures and deliver malware. The threat actor behind the botnet exploits a vulnerability in the sender policy framework (SPF) used to validate email senders. The attacker misconfigures the SPF record for around 20,000 web domains, using an overly permissive “+all” option that allows any server to send emails on behalf of those domains, thus enabling email spoofing and the delivery of malicious content.

The botnet was discovered by DNS security company Infoblox, which tracked the activity of the malspam campaign active in late November 2024. Some of the fraudulent emails impersonated well-known companies like DHL Express, tricking recipients into opening attachments that appeared to be freight invoices. These attachments contained a ZIP file which, once opened, executed a JavaScript file that ran a PowerShell script, which in turn connected to a command-and-control server controlled by the attacker. The domain associated with the C2 server had previously been linked to Russian cybercriminal groups.

Infoblox researchers revealed that the botnet’s operation was much larger than initially thought

Infoblox researchers revealed that the botnet’s operation was much larger than initially thought, with approximately 13,000 hijacked MikroTik devices forming part of a significant, sprawling network. These devices were used to send phishing emails, exfiltrate data, and mask the origin of malicious network traffic. By configuring the MikroTik routers as SOCKS4 proxies, the attacker was able to amplify the scale of the botnet’s operations, allowing it to launch distributed denial-of-service (DDoS) attacks, deliver phishing emails, and distribute malware more effectively. This method of botnet expansion enables the attackers to leverage a large number of compromised devices, significantly increasing the impact of their operations.

Despite warnings to MikroTik device owners to update their firmware and patch vulnerabilities, many devices remain exposed due to slow patching practices. The botnet demonstrates the potential danger posed by unsecured, outdated networking devices. Infoblox has advised MikroTik users to apply the latest firmware updates, change default admin credentials, and restrict remote access to control panels unless absolutely necessary. The misuse of MikroTik devices highlights the importance of maintaining robust security practices and timely software updates to protect against botnet-driven cyberattacks.

Reference:
  • MikroTik Botnet Exploits DNS Flaws to Spread Malware Across 20000 Domains
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJanuary 2025
ADVERTISEMENT

Related Posts

DevOps Servers Hit By JINX0132 Crypto Mine

Fake FB Ban Fix Extension Steals Accounts

June 3, 2025
DevOps Servers Hit By JINX0132 Crypto Mine

Actively Exploited Chrome V8 Flaw Patched

June 3, 2025
DevOps Servers Hit By JINX0132 Crypto Mine

DevOps Servers Hit By JINX0132 Crypto Mine

June 3, 2025
Linux Core Dump Flaws Risk Password Leaks

Linux Core Dump Flaws Risk Password Leaks

June 2, 2025
Linux Core Dump Flaws Risk Password Leaks

GitHub Code Flaw Replicated By AI Models

June 2, 2025
Linux Core Dump Flaws Risk Password Leaks

Google Script Used In New Phishing Scams

June 2, 2025

Latest Alerts

Fake FB Ban Fix Extension Steals Accounts

Actively Exploited Chrome V8 Flaw Patched

DevOps Servers Hit By JINX0132 Crypto Mine

Linux Core Dump Flaws Risk Password Leaks

GitHub Code Flaw Replicated By AI Models

Google Script Used In New Phishing Scams

Subscribe to our newsletter

    Latest Incidents

    Cartier Data Breach Exposes Client Info

    White House Chief of Staff’s Phone Hacked

    The North Face Hit By 4th Credential Hack

    Covenant Health Cyberattack Shuts Hospitals

    Moscow DDoS Attack Cuts Internet For Days

    Puerto Rico’s Justice Department Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial