Service disruptions affecting nearly one million Deutsche Telekom landline customers since last weekend are the result of a worldwide cyberattack aimed at infecting routers with a variant of Mirai Internet of Things (IoT) botnet malware, German authorities and security researchers have now confirmed.
The attack seeks to exploit a vulnerability in open remote-management ports found in certain models of DSL routers – specifically, TCP port 7547, which is designed to allow broadband providers to remotely configure equipment operating on the customer's premises. In a forum post, the SANS Institute's Internet Storm Center describes the issue as a Simple Object Access Protocol (SOAP)-based remote code execution flaw, and warns of an active Metasploit module that has been crafted to exploit this vulnerability.
Many of the affected routers were sold by Deutsche Telekom under the brand name Speedport. Reuters identified the original manufacturer of these devices as Taiwan's Arcadyan Technology. Deutsche Telekom issued a firmware patch for the vulnerable products on Monday, advising customers to unplug their routers for 30 seconds before plugging back in so that the automated would take effect. (Customers can also install the patch manually.)
Routers distributed by Ireland-based telecom company Eir were similarly affected – specifically its Zyxel D1000 and Zyxel P-660HN-T1A models. In a statement provided to SC Media, Eir confirmed that around 30 percent of its broadband routers contain the vulnerability, but efforts to remediate the issue were underway. “We have been working with Zyxel, the supplier, and we have deployed of a number of solutions both at the device and network level which will remove this risk. All of the potentially affected modems are now protected with the network mitigation we have taken. We continue to deploy the firmware patch,” reads the company statement.
“In addition, we strongly recommend that customers with these modems… change the administration password for the modem as well as their Wi-Fi password. Different passwords should be used,” Eir continued in its corporate statement.
SC Media also reached out to Arcadyan for comment.
Meanwhile, a statement released on Monday by Germany's Federal Office for Information Security (or BSI) reported that these latest Mirai attacks have been “registered on the government network protected by the BSI, but they have remained inconsistent on the basis of effective protective measures.” The agency also noted that Germany's National Cyber Defense Center is coordinating federal incident response measures under BSI's authority.
After receiving a series of complaints from Deutsche Telekom customers, researchers at cybersecurity firm Kaspersky Lab collected several samples of malicious incoming router traffic and analyzed the attack. According to a Securelist report, Kaspersky found that the adversaries were indeed sending requests to port 7547 in the form of a Mirai-related binary. SANS' Internet Storm Center found that a large portion of incoming malicious traffic was originating from already infected DSL modems in Brazil.
Upon infection, the malware – which resides only in memory – essentially hijacks the router, allowing bad actors to take over the device as a bot, using it to scans for open ports in other to spread the malware further or launch other cyber assaults, including distributed denial of service (DDoS) attacks.
Interestingly, Kaspersky found that at one point the malware's command-and-control servers were pointed at U.S. military-related IP addresses, even though there was no Mirai infrastructure behind that particular network range. “For sure, this is some kind of trolling from the criminals who conducted the attack,” the Kaspersky blog concluded.
In a separate report issued on Tuesday, business risk intelligence firm Flashpoint asserted that the new Mirai variant likely constitutes an attempt by a Mirai botmaster to build up his existing army of hijacked, zombie machines.
Flashpoint placed the total number of routers potentially susceptible to this variant at 5 million devices. This figure accounts for routers that have an open port 7547 and also allow non-ISP access to provisional networks that telecom companies typically use to remotely manage customer modems and routers.
Moreover, the firm was able to link the new variant to a few “small-scale” DDoS attacks, including several against an African IP address on Monday and Tuesday, and a 22-minute assault against a cloud hosting provider on Tuesday that leveraged 488 different command-and-control addresses.
“Infrastructure of this scale is expensive and signifies not only that this is likely a commercial operation, but that there is an attempt to become more resistant to takedowns,” Flashpoint reported in the blog post.
According to experts, the very same Mirai infection campaign that caused service disruptions for Deutsche Telekom customers had a significantly more global impact that first realized. According to Flashpoint, the new Mirai variant infected devices in Germany, the UK, Brazil, Turkey, Iran, Chile, Ireland, Thailand, Australia, Argentina and Italy – with a notably high concentration in the first three countries. SANS' Internet Storm Center also noted on Tuesday that Austria was “experiencing a strong increase in TR-069 traffic within the last 24 hours.”