Report: Millions (and Millions) of Devices Vulnerable in latest Mirai Attacks

Mira botnet infections globally. (Image courtesy of Imperva.)
Mira botnet infections globally. (Image courtesy of Imperva.)

In-brief: Attacks that took 900,000 broadband routers offline in Germany have hit other countries as well, as security experts warn that the number of devices vulnerable to attack could number in the millions. 

An online attack that took an estimated 900,000 home routers offline in Germany is being blamed on the Mirai botnet, a global network of infected cameras, printers, digital video recorders and other Internet of Things devices. But the attacks go well beyond Germany and the true number of vulnerable devices that could be targeted is much larger – numbering in the millions, according to new analysis by the firm Flashpoint

On Monday, Deutsche Telekom acknowledged that broadband routers it operates were knocked offline by a large-scale attack that attempted to infect broadband routers with malicious software. In a blog post on Tuesday, researchers at Flashpoint said that their analysis confirmed that attacks were launched by infected computers running a variant of the Mirai botnet. The attack was apparently an effort to expand the number of Mirai-infected devices world-wide.

In a statement to customers, Deutsche Telekom said that around 4 percent of its customers were affected by the attack – around 900,000 routers. The effects of the attack ranged from slow service to a failure of service. As of Tuesday, the company said that not all customers were back online. However, the company took pains to explain that the attack against its routers was not successful. Malicious software was not installed on the devices, nor was customer data compromised.

The attacks targeted a range of broadband routers used by DT. Among them are the Speepdort W 921V and Speedport W 723V Type B, the Speedport W 504V Type A and Speedport Entry I. The devices are made by a variety of manufacturers including Chinese vendor Huawei, Taiwanese firm Arcadyan, Siemens and others, according to statements by Deutsche Telekom and other publicly available information.

In contrast to earlier rounds of Mirai infections, which relied on brute force (or “dictionary”) attacks that guessed default administrator usernames and passwords, the latest attacks attempted to exploit a known vulnerability in a remote maintenance interface. Attacks were launched  using the TR-064 and TR-069 protocols which are common for managing so-called “customer premises equipment” (or CPE) in wide area network environments, DT said. Deutsche Telekom said it is working with manufacturers on firmware updates to address the vulnerability and is rolling them out to customers as they become available. The TR- protocols are what telecommunications firms and others use to remotely manage broadband routers in homes and businesses, said Zach Wikholm,* a security research developer at Flashpoint.

Exploit code used by the Mirai botnet. (Image courtesy of Flashpoint)
Exploit code used by the Mirai botnet. (Image courtesy of Flashpoint)

The vulnerability exploited by the botnet resides in the implementation of the TR-069 and -064 protocols themselves and was inadvertently introduced in an update to the protocols.That update was then distributed to millions of devices in the field via firmware updates in recent years.

The flaw allows attackers to issue a command to vulnerable devices – such as instructions to download the Mirai malware – via a SOAP (Simple Object Access Protocol) request. It is unclear how the cyber criminals who operate Mirai became aware of the vulnerability, but Wikhom notes that a module for the Metasploit framework targeting it was introduced last week, and may have provided them with the information they needed to exploit it.

From there, the attackers made quick modifications to Mirai’s code to switch from the original attack method – brute force password guessing – to exploiting the TR- protocol exploit and set the malware to work finding victims to attack, Wikholm said. “The turnaround time was lest than a week – amazingly quick given the amount of re-engineering it would take to build something like this.”

The Mirai malware source code was released to the public in early October, meaning that anyone with the technical knowhow can build their own version of the bot. That makes it difficult to know, for sure, who is behind the latest attacks. However, in its analysis, Flashpoint said that it believes that the new Mirai variant used in the attacks is “likely an attempt by one of the existing Mirai botmasters to expand the number of infected devices in their botnet.” 

While the exact number of infected devices isn’t known, Flashpoint estimates the global population of infected devices to be “five million” endpoints. The total number of vulnerable devices is much, much larger, though. Some estimates put the total number of devices with port 7547 open at around 41 million, Wikholm told Security Ledger. However, only a fraction of those allow parties other than Internet Service Providers to access those devices. That may be around five million devices globally, he said, though the exact number is unknown.

Even that smaller number could spell disaster. Denial of service attacks in recent months that reached upwards of 700 Gigabits per second of traffic were launched from Mirai botnets with only 100,000 to 200,000 infected hosts. Wikholm said object of the attacks appears to be to build large botnets that can be used “as a commercial service.”

Deutsche Telekom was also not the only target. Flashpoint said it has observed infected devices operating from the United Kingdom, Brazil, Turkey, Iran, Chile, Ireland, Thailand, Australia, Argentina and Italy, as well as Germany. Flashpoint said its sensor have observed a spike in traffic on port 7547, which is used by the TR- protocol. Passive sensors detect scans for port out of country. IPs within residential and commercial ISPs. Requests are what they should be. Traffic on 7547 at a global scale is not common.

Wikholm wouldn’t comment on who Flashpoint believes is behind the attacks. He said the firm is working with law enforcement on that very problem. In an interview on Tuesday, German Chancellor Angela Merkel said that she had no information on where the cyber attack originated.

“Such attacks are a part of every day life and people have to get used to them,” she said.

(*) An earlier version of this story misspelled Mr. Wikholm’s name. The story has been corrected. – PFR 11/29/2016

Security Ledger wants to hear your thoughts! Leave a reply.