We've seen just the tip of the Mēris botnet iceberg
Last month, a Russian tech giant Yandex was hit by the largest DDoS attack in history. The record-breaking attack was likely just a test drive.
The distributed-denial-of-service (DDoS) attack against Yandex that was carried out from August to September clocked in at a humongous 22 million requests per second (RPS).
"It's just as scary to think that tens of thousands of devices are fairly easily commandeered and can wreak this havoc with a very simple tactic of DDOS. Many of those hosts are in critical areas, no doubt, so other forms of attack are even scarier."-Stel Valavanis
What is Mēris?
The botnet behind the attacks was dubbed Mēris, which means 'plague' in Latvian. The name might have originated because the attack against Yandex employed mainly MikroTik network devices manufactured in Latvia.
The name also reminds of the infamous Mirai ('future' in Japanese) botnet. First discovered in 2016, Mirai used malware that infected Linux-operated devices, then self-propagating via open Telnet ports to infect other machines.
Mēris, however, is potentially more potent and more dangerous than its well-known predecessor. For example, previous botnets were made of IoT devices such as IP cameras, with relatively limited processing power and networking capabilities.
Meanwhile, the Mēris botnet is made up of professional networking equipment. The make-up of the botnet means that perpetrators behind the botnet have access to a lot more processing power and high-speed ethernet, allowing for one record-breaking attack after another.
According to MikroTik blog entry, in the recent attack against Yandex, the botnet abuses a patched vulnerability (CVE-2018-14847) that affected RouterOS, an operating system used by MikroTik devices.
A blog entry by MiktoTik claims that 'the attacker is reconfiguring RouterOS devices for remote access, using commands and features of RouterOS itself.' The worst part is that patching up now won't undo the damage as a password change and firewall update are also necessary to secure a device.
MikroTik also noted that a specific type of malware aims to reconfigure their devices from Windows computers from inside the network. The malware explicitly targets the aforementioned CVE-2018-14847 vulnerability.
So far, the patched vulnerability is the only confirmed way the botnet could infect new devices. However, it's not yet possible to rule an unknown zero-day vulnerability or brute force password attacks that allow the botnet to spread.
"This gives the attackers a much more diverse group of victims to target for DDoS extortion campaigns. Specifically, they can target larger organizations and demand significantly more in their extortion efforts."-Andrew Shoemaker
How big is it?
Our researchers estimate around 250,000 devices in the botnet, with another 40,000 devices still exposed to abuse via the CVE-2018-14847 vulnerability. It appears that as for now, the devices are uninfected.
With a quarter of a million devices, the maximum capacity of the botnet stands at 110 million requests per second. This means that the largest DDoS attack in history demonstrated only 20% of the Mēris botnet capabilities.
Worryingly, that implies that previous attacks were merely equipment testing events, not meant to take down their targets. CyberNews researchers note that the attackers constantly rotated devices employed in the assault. Moreover, the attacks themselves were usually short and terminated on attackers' initiative.
Interestingly, compared to older botnets, Mēris uses a novel way to abuse the network stack to carry out DDoS attacks. Whereas previously attackers would abuse the Network Layer, Mēris botnet takes on the Application Layer.
Even though this tactic makes it virtually impossible to DDoS a target using a spoofed IP, it also makes it extremely hard to mitigate since the requests are indistinguishable from ones a legitimate source would make.
To confuse the target's defenses even further, the domains used for the botnet have an HTTPS-proxy service running. These domains likely function as proxies for the real C2 servers used by the attackers. However, the HTTPS-proxy service further complicates the target's ability to recognize whether the request comes from a legitimate source or a botnet.
Crypto mining gone wild?
As for the botnet's origins, there's no definitive answer so far. However, after investigating the domains used for the Mēris botnet, CyberNews researchers found that the same domains were used to run the U6 botnet a couple of years ago.
The U6 was also targeting MikroTik devices, just for a different purpose – crypto mining.
Although it's impossible to know for sure, there's a chance that the operators of the U6 botnet either decided to change the course of their activities or sold the botnet for operators with different goals in mind.
That might explain why Mēris only used a fraction of its potential and why the recent attacks seem to resemble test-drive and not a full-fledged offensive. It's also possible that while most of the botnet is still used to mine cryptocurrencies, parts of it were tested for DDoS attacks.
"Despite lots of awareness and cleanup, there still are lots of multipliers out there that can be exploited and of course lots of pwnable machines."-Stel Valavanis
Either way, the rise of the Mēris spells trouble for an already intense period. Powerful, high-bandwidth devices can overwhelm major networks if they do not have advanced DDoS mitigation in place.
According to Stel Valavanis, founder and CEO of onShore Security, a cybersecurity company, we're all far from done on the mitigation front despite combined efforts to alleviate DDoS attacks.
"Despite lots of awareness and cleanup, there still are lots of multipliers out there that can be exploited and of course lots of pwnable machines, " Valavanis told CyberNews.
The newly developed capabilities of the Mēris botnet open many opportunities for threat actors to abuse their recently found power. At the current scale, the botnet is powerful enough to imitate large attacks intended to serve only as a distraction from the real goals of the perpetrators.
"It's just as scary to think that tens of thousands of devices are fairly easily commandeered and can wreak this havoc with a very simple tactic of DDOS. Many of those hosts are in critical areas, no doubt, so other forms of attack are even scarier, " Valavanis told CyberNews.
Size matters with DDoS attacks, which means the Mēris botnet can penetrate massive networks, such as internet service providers (ISPs).
Andrew Shoemaker, the founder, and CEO of NimbusDDoS, a DDoS attack simulation platform, says the size of new botnets makes absorbing such attacks particularly challenging.
"This gives the attackers a much more diverse group of victims to target for DDoS extortion campaigns. Specifically, they can target larger organizations and demand significantly more in their extortion efforts," Shoemaker told CyberNews.
A DDoS caused internet outages in New Zealand last month when the country's third-largest internet service provider was hit. The attack cut off around 15% of the country's broadband customers from the internet at one point.
Recent reports show that 2021 will be yet another record year for the number of DDoS attacks carried out. Threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020.
During DDoS attacks, vast numbers of "bots" attack target computers. Hence, many entities are attacking a target, which explains the "distributed" part. The bots are infected computers spread across multiple locations. There isn't a single host. You may be hosting a bot right now and not even know it.
When DDoS attackers direct their bots against a specific target, it has some pretty unpleasant effects. Most importantly, a DDoS attack aims to trigger a "denial of service" response for people using the target system. This takes the target network offline.
If you've repeatedly struggled to access a retail website, you may well have encountered a denial of service. And it can take hours or days to recover from.
More from CyberNews
Subscribe to our newsletter