The Security Ledger

Mirai Botnet attacks on Home Routers felt in UK, also

Attacks on home broadband routers by machines infected with Mirai, a botnet program, have knocked customers offline in the UK, as well as Germany, according to reports. Internet users in other countries may be affected, as well. (Image courtesy of Zyxel.)

In-brief: More than 100,000 homes in the UK had their Internet access interrupted by an attack on broadband routers. The incident is believed to be part of a larger attack that affected some 900,000 Deutsche Telekom customers last week. 

Internet attacks on vulnerable home, broadband routers knocked more than 100,000 households offline in Great Britain, according to reports on Friday. The reports come days after reports that an estimated 900,000 customers of Deutsche Telekom experienced interruptions in Internet service as a result of the attacks, which attempt to exploit a vulnerability in home routers to install malicious software.

Reports from The Guardian and BBC say that customers for at least three UK-based telecommunications firms: TalkTalk, the Post Office and KCom were affected by the attacks, which have been attributed to systems infected with the Mirai malware. The exact number of affected customers isn’t known, but Post Office confirmed that 100,000 of its customers had been targeted, while KCom put the figure at 10,000 customers. TalkTalk is the UK’s biggest Internet service providers, but declined to say how many customers were affected.

The reports jive with research from the firm Flashpoint, reported by The Security Ledger on Tuesday. Researchers from that firm observed infected devices operating from the United Kingdom, Brazil, Turkey, Iran, Chile, Ireland, Thailand, Australia, Argentina and Italy, as well as Germany.

The fact that home routers have been taken offline may be an indication of a successful or unsuccessful attack. In Germany, Deutsche Telekom said that few of its customers were infected by the Mirai malware, but that attempts to compromise home routers resulted in a loss of Internet connectivity.

[Read more Security Ledger coverage of the Mirai botnet here.]

The home routers affected by the attack contain a vulnerability in their implementation of the TR-069 and -064 protocols, which telecommunications firms use to remotely administer home routers and other so-called “customer premises equipment” (or CPE). The flaw allows attackers to issue a command to vulnerable devices – such as instructions to download the Mirai malware – via a SOAP (Simple Object Access Protocol) request. It was inadvertently introduced to millions of devices that use the TR-069 and TR-04 protocols in a software update in 2014, according to Zach Wikholm, a security research developer at Flashpoint.

That vulnerability was initially noticed by a researcher using the name “Kenzo,” who wrote about vulnerabilities affecting a specific DSL modem manufactured by Zyxel and used by the Irish ISP Eir. He published a “proof of concept” exploit on November 7 on the Reverse Engineering blog.

Deutsche Telekom issued a software update to close the security hole earlier this week, following the outage, according to a FAQ posted on the Deutsche Telekom website. However, it is unclear whether other providers have done the same.

According to researchers at Rapid7, the researcher also provided a proof-of-concept Metasploit module to exercise these vulnerabilities to expose the administrative web service on the Internet-facing side of the modem and to extract the administrative password to that admin web service. It isn’t known if  Kenzo disclosed these issues to either Zyxel or Eir prior to public disclosure.

What is known is that attackers with access to the Mirai source code acted quickly on the new information and proof of concept exploit, basically reprogramming the botnet software to spread by looking for affected modems and launching a version of the proof of concept exploit to install the Mirai code on them, Wikholm said.

Writing on Tuesday, Rapid7 said it first noticed attacks aimed at the vulnerability on November 26th. The attacks appeared indiscriminate (“spray and pray,” as Rapid7 described them). As of Tuesday, Rapid7 had observed over 63,000 unique source IP addresses associated with these attempts to take over the routers, peaking at over 35,000 unique attempts per day on November 27th.

Home broadband users are advised to use tools such as SpeedGuide.net to determine whether port 7547, which is used  by the TR- protocols, is open and accessible from the public Internet. If so, that port should be closed, Rapid7 said.