13,000 MikroTik Routers Hijacked for Cyberattacks

MikroTik routers are at the center of a new cyber threat, with 13,000 devices hijacked and turned into a botnet. This botnet spreads malware through email spam, bypassing security measures by exploiting misconfigured DNS records.

According to a recent report, attackers use these compromised routers to send malicious emails disguised as legitimate messages. The campaign, known as Mikro Typo, was first detected in November 2024. It lures victims with fake freight invoices containing a ZIP file. When opened, the file executes a JavaScript script that launches a PowerShell command. This command then connects to a remote server controlled by hackers.

The exact method used to compromise the routers remains unclear. However, some affected devices run firmware versions vulnerable to CVE-2023-30799. This critical flaw allows attackers to escalate privileges and execute arbitrary code. Once inside, the hackers install a script that enables SOCKS proxies, turning the routers into TCP traffic redirectors.

Enabling SOCKS allows cybercriminals to hide their real location, making attacks harder to trace. Moreover, the compromised routers lack authentication controls, allowing multiple threat actors to misuse them. This botnet can facilitate various cybercrimes, including distributed denial-of-service (DDoS) attacks, phishing campaigns, and data theft.

One key factor enabling this attack is a widespread misconfiguration in sender policy framework (SPF) records. Over 20,000 domains have their SPF settings set to “+all,” which allows any device—including hijacked MikroTik routers—to send emails on their behalf. This flaw helps attackers bypass security filters and distribute malicious emails effectively.

Preventive Measures

To protect against these threats, MikroTik device owners should update their firmware regularly. Changing default credentials and reviewing SPF configurations can also help prevent unauthorized access. Additionally, disabling unnecessary services and enabling firewall rules can reduce exposure to cyberattacks.