Did you know that “Meris” means “plague” in the Latvian language?
Neither did we, until the Meris botnet was recently discovered. So far, this new botnet seems to leverage only one family of devices: those powered by RouterOS, an operating system from MikroTik, a Latvian company that makes routers and wireless ISP systems. The Meris botnet has already been used to launch distributed denial of service (DDoS) attacks, including a massive attack on the Krebs on Security site in September (yes, that’s the same site that was afflicted by an attack from the infamous Mirai botnet, back in 2016). The recent Meris assault on Krebs on Security was much larger in volume than the previous Mirai botnet attack. Security researchers have not yet uncovered the malicious code that drives the Meris botnet, but it is highly likely that the perpetrators will be sharing the code on the Dark Web to be used and evolved by scores of other threat actors.
MikroTik published a statement in September for those who use their devices: “As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched. Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.”
More Powerful than Mirai
The Meris botnet delivers its punch in requests-per-second (RPS), rather than gigabits-per-second (Gbps), sending an overwhelming volume of requests to a target server that greatly exceed its CPU and memory resource capacity. According to Cybernews, “The Meris botnet is made up of professional networking equipment. The make-up of the botnet means that perpetrators behind the botnet have access to a lot more processing power and high-speed ethernet, allowing for one record-breaking attack after another.” This means the botnet can easily be used to launch record-breaking, terabit-sized volumetric DDoS attacks. Security experts have reason to worry that the recent Meris botnet attacks have been test-drives, representing only a fraction of the botnet’s true power.
The advice to update your networking device firmware and change your passwords. This is, of course, a general best practice to follow, regardless of device manufacturer and, irrespective of whether any vulnerabilities have already been publicly disclosed. However, as an organization that would suffer significant impact from a DDoS attack powered by Meris, or any other attack tool, you can’t rely on others to be so diligent. Therefore, the only proper way to ensure you are protected against the business damaging effects of DDoS attacks is to use a defense solution that detects and stops attacks accurately and automatically, in real-time.