Russians Prevent Mēris Botnet From Hijacking 45,000 DevicesRussia’s Remote Electronic Voting System Fends Off 19 DDoS Attacks
Following the massive DDoS attacks on Russian search engine Yandex, Russian cybersecurity firm Rostelecom-Solar claims it has stopped what it believes to be the Mēris botnet from wreaking further havoc by foiling its attempt to take over 45,000 new devices.
Rostelecom is a Russian digital services provider with a separate cybersecurity arm called Solar. Rostelecom-Solar says it stopped the attack with "the help of the Solar JSOC CERT Center for Early Detection of Cyber Threats" and in conjunction with "specialists of the National Coordination Center for Computer Incidents."
The company's president, Mikhail Oseevsky, briefed the Russian news agency Tass at the Central Election Commission’s information center, saying that the company has stopped 19 distributed denial-of-service attacks targeting Russia’s remote electronic voting system.
The Foiled Attempt
According to a statement from Rostelecom-Solar, the Solar JSOC CERT trapped the botnet in a honeypot network installed by its engineers. This enabled the engineers to analyze the traffic and the commands and code used to control infected devices. "The errors identified in them allowed Solar JSOC CERT experts to detect 45,000 network devices, their geographic location, and enabled isolating them from the botnet," Rostelecom-Solar says.
The company has not yet responded to Information Security Media Group's request for information about the technical details of the malicious code that their experts detected, which helped them reverse-engineer to prevent the takeover.
In its statement, Rostelecom-Solar noted that 20% of the devices attacked are located in Brazil, with the next largest number in Ukraine, followed by Indonesia, Poland and India. Less than 4% of the devices are located in Russia.
The company says it made a list of all infected devices based on their country of origin and handed it over to the NCCCI, which informed the respective foreign governments and their CERTs about the presence of botnet clusters in their countries. The company adds that Russian telecom operators whose infrastructure had infected nodes were also identified and notified of the incident.
Diffusion of 19 DDoS Attacks
Tass reports that Oseevsky issued a statement to the Russian media from the CEC's office, saying his company had stopped 19 DDoS attacks targeted at various governmental resources - including the CEC's portal and the elections' and the state services portals. Although he did not mention which type of botnet was used in these attacks, a subsequent statement suggests it is likely the work of Meris.
Oseevsky says the majority of the 19 attacks lasted several minutes but the longest, observed on Saturday, lasted for 5 hours and 32 minutes. Oseevsky did not mention the requests per second rate of these DDoS attacks and only confirmed that they were "large-scale" attempts.
The latest recorded DDoS signatures of the Mēris botnet in the attack on Russia's governmental resources show that "its activity is ongoing, but we observe a decline in the attacks' intensity. Attacks are in range of thousands of active bots and a few hundred thousand requests per second," a Qrator spokesperson tells ISMG.
About the Mēris Botnet
The Mēris Botnet was first observed by cybersecurity firms Qrator Labs and Cloudflare in huge waves of DDoS attacks orchestrated in the past couple of months. At its peak, the DDoS attack signatures that these firms monitored saw a spike of nearly 17.2 million to 21.8 million requests per second (see: Mēris: How to Stop the Most Powerful Botnet on Record).
According to MikroTik, the attacks used routers that were compromised in 2018. At the time, MikroTik RouterOS had a vulnerability that was quickly patched. Unfortunately, closing the vulnerability does not immediately protect these routers.
"If somebody got your password in 2018, just an upgrade will not help. You must also change your password and apply firewall rules for the traffic coming in from the open internet," MikroTik tells ISMG.