The MikroTik Botnet & DNS

I read this post a few days ago and promptly shot of to my DNS records to confirm that all my domain records where following best practice, although sometimes this can be difficult especially in relation to email as certain providers are not following best practice.

I wasn't over concerned with the following. I don't use them.

"Through mapping out the activity of this botnet related to the malspam campaign, we identified over 13,000 compromised MikroTik devices and 20,000 domains involved in sending spoofed mail. We also identified that these devices have been compromised in a way that allows them to be operated as an open (SOCKS4) relay."

How A Large-Scale Russian Botnet Operation Stays Under the Radar

Russian threat actors combine domain name vulnerabilities with hidden router proxy techniques to scale their attacks while remaining shielded from detection.

Infoblox BlogInfoblox Threat Intel

However, the DNS section of the article caught my eye in a big way

"This DNS misconfiguration could have been done by accident, or as a malicious modification by a threat actor with access to the domain’s registrar account. Either way, the consequence is that any device can spoof the legitimate domain in email."

20000 domains are a lot.