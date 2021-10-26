NETSCOUT observes two distinct MikroTik-based IoT botnets involved in recent DDoS attacks

October 2021 by NETSCOUT

In June 2021, a new botnet comprising unpatched MikroTik routers emerged. Dubbed Mēris by threat researchers at NETSCOUT, this IOT botnet launched numerous application-layer HTTP and HTTP/S DDoS attacks against multiple targets worldwide, including Krebs On Security and Yandex. According to NETSCOUT’s findings:

There are an estimated 250,000 unpatched MikroTik routers worldwide which can potentially be compromised and incorporated into DDoS-capable botnets like Mēris

There are at least two DDoS-capable IoT botnets, Mēris and Dvinis, inhabiting the same population of unpatched, exploitable MikroTik routers

Since August 2021, NETSCOUT observed multiple HTTP and HTTP/S application-layer DDoS attacks launched by Mēris and Dvinis, and assisted network operators in successfully mitigating these attacks

Both botnets are actively attempting propagation to expand and, to date, NETSCOUT is tracking approximately 4,800 Mēris and 3,500 Dvinis botted nodes