DDoS Protection , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Mirai Botnet Knocks Out Deutsche Telekom Routers

Irish Routers Under Attack Too; Poland, Austria See Suspicious IoT Activity
Mirai Botnet Knocks Out Deutsche Telekom Routers
Photo: Herr Olsen (Flickr/CC)

Some 900,000 Deutsche Telekom customers were knocked offline after their routers were infected with a version of Mirai, the malware that's designed to infect internet of things devices, which has been linked to recent, record-shattering distributed denial-of-service attacks.

See Also: Unified SASE: The Third Era of Network Security

The router infections disrupted internet connections, as well as telephony and television services, starting around Nov. 27, according to an advisory issued by Deutsche Telekom. Germany's National Cyber Defense Center is investigating.

The code that infected the routers is a modified version of Mirai, which is malware designed to infect and harness a variety of different types of internet-connected devices, writes Johannes Ullrich, dean of research at the SANS Technology Institute, in a blog post.

A large network of Mirai-infected digital video recorders and closed-circuit TV cameras executed some of the largest DDoS attacks on record over the past two months. DDoS attacks involve directing a barrage of data traffic at a service with the goal of making it unresponsive (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack).

A massive attack against domain name server provider Dyn last month disrupted access to numerous sites, including many of its outsourced DNS management clients, which include PayPal, Spotify and Twitter. The DDoS attacks disrupted Dyn's ability to deliver internet address information to computers seeking to browse to numerous websites (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).

Security experts have been warning for years that consumer routers are notoriously insecure, in part because manufacturers rarely patch the devices - particularly older models - even when researchers find serious security vulnerabilities in the devices.

The burgeoning internet of things has been compounding the problem. Now, millions of internet-connected consumer devices - with poor or missing security controls - are in the hands of consumers. Attackers have seized on this opportunity, infecting and harnessing these internet-connected devices and their processing power to serve as free attack launch pads. The power of these devices, en masse, has ben demonstrated by multiple, different Mirai botnets being used to execute record-breaking DDoS attacks.

Deutsche Telekom Issues Emergency Update

In the wake of the router exploits affecting its customers, Deutsche Telekom has issued a software update that gets automatically installed after infected routers get restarted. The models affected are the Speedport W 921V, W 723V Type B and W 921 Fiber.

Observers say such infections could affect other ISPs that have older routers with software vulnerabilities still in use by customers. And there are already indications of suspected malicious scanning activity in Poland and Austria.

"This issue ... may affect others as well given that the U.S. is just 'waking up' from a long weekend," Ullrich writes.

Attackers Stalk Open Ports

Mirai attackers are hunting for DSL routers that have port 7547 open to launch attacks against the Simple Online Access Protocol - a.k.a. SOAP - service, Ullrich writes.

That port is the entry point for strikes using the TR-069 or TR-064 protocols, which are used by network operators for remote management of devices such as routers and set-top boxes.

In some cases, ISPs or router manufacturers do not require authentication to connect to a router using those protocols, thus leaving them at risk of attackers accessing them remotely and then executing malicious code.

Attacks in Ireland

Earlier this month, an anonymous researcher - using the handle "kenzo2017" - penned a blog post warning of problems with Zyxel-made Eir D1000 modems, which at one time were distributed by the Irish telecoms operator Eir.

The TR-064 protocol "is not supposed to be accessed from the WAN side of the modem but in the D1000 modem, we can send TR-064 commands to port 7547 on the WAN side," the researcher wrote." This allows us to 'configure' the modem from the internet."

On older routers, Eir didn't allow access to port 7547 except for IP addresses it controlled. "Inexplicably, Eir do not do this for their newer modems," the researcher writes. "If they did, these bugs would not have been exploitable."

These concerns are not academic: A module for exploiting the flaw in Eir routers has already been developed for the free, open source vulnerability testing framework Metasploit, and as of Nov. 28, cybersecurity firm Fox-IT reports that Eir D1000 routers have been infected and used to spread a modified version of Mirai.

"I have just done a search on Shodan for port 7547 in the Irish internet space and nearly 200,000 devices are there, with 182,000 of them with Eir," Brian Honan, a Dublin-based information security consultant who also runs Ireland's Computer Security Incident Response Team, tells Information Security Media Group.

So far, it doesn't appear that the compromised routers have been used to conduct any DDoS attacks. Instead, infected routers try to find other vulnerable ones, displaying worm-like behavior as they attempt to enlarge the pool of compromised devices.

The blog BadCyber, which analyzed a sample of the attack code, has published an analysis of the module, concluding that "the author of the malware borrowed the Mirai code and mixed it with the Metasploit module to produce his worm."

Millions of Routers At Risk?

Beyond the Eir and Deutsche Telekom attacks, however, researchers are warning that millions of more devices could be vulnerable to these router-focused attacks. Using the Shodan search engine, which allows for searches of internet-connected devices based on specific criteria, for example, Ullrich at the SANS Institute found 41 million devices across the internet that have port 7547 open.

Darren Martyn of Insecurety Research writes on Twitter that he's so far identified about 50 routers models from several vendors that could be affected, including ones distributed by TalkTalk in the U.K. and VIVO in Brazil.

In the wake of these router attacks, Ullrich recommends that IT administrators immediately block port 7547 and install any patches - if available - to lock down potentially affected devices.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.