Application security, Application security, Threat Management

Same fate befalls Post Office broadband as hit DT?

Post Office broadband appears to be suffering the same fate as Deutsche Telekom with reports of service outages for Post Office broadband customers.

Interruptions have apparently been experienced since Sunday and affected around 100,000 customers.

The attack on Deutsche Telekom routers saw service outages for more than 900,000 customers over the November 26 weekend. It later emerged that the outages were down to a series of attacks with a variant of the Mirai malware.

The Post Office may not be the only UK organisation that is suffering at the hands of what could be a single Mirai campaign. TalkTalk customers have been reporting service disruptions over the weekend as well.

Mirai has made a name for itself in recent months for its involvement in some of the largest DDoS attacks ever recorded. It first made its mark with a DDoS attack on the Krebs on Security website with a flood power of 620 Gbps. The next month, the Dyn DNS provider was attacked with a DDoS attack of over 1 terabyte, the largest on record.

Mirai's footprints were later seen in an attack on the African nation of Liberia, which resulted in major outages across the country.

Importantly, the malware builds its botnets through IoT devices: CCTV cameras,recorders and in this case, routers.

Once Mirai infects a device, it scans for other vulnerable devices, attempts to guess its password and once it successfully infects the device, starts the process again.

Flashpoint, the company which identified the Mirai variant also mentioned that it had seen infected devices all around Germany, Brazil and the UK which may have been prescient given this news. The company added that it deemed the attack on Deutsche Telekom to be an effort to add a large swathe of devices to a pre-existing botnet.

The routers used by Deutsche Telekom, manufactured by Arcadyan Technology, a Taiwan-based company, were vulnerable to this strain of Mirai and Deutsche Telekom has said it would be reviewing its relationship with Arcadyan.

Post Office apparently uses Zyxel AMG1302, which is also reportedly vulnerable to Mirai. Pavel Šrámek, malware analyst at Avast told that “many Post Office customers have now experienced what a problem an insecure router can be, first-hand. However, it is safe to say that this might be just the beginning of what could happen in the future. The next step for attackers could be to hack into other home devices once they gain access to the router, like webcams, smart TVs, or thermostats.”

A spokesperson for the Post Office told press that “no personal data or devices have been compromised”. The source of the problem has been identified and a solution is currently on its way to customers, the Post Office's spokesperson added. Most customers are now able to connect and the Post Office says that it has now guarded against future attacks.

Jonathan Sander, VP of product strategy at Lieberman Software thinks he sees something beyond what is immediately present. Who is behind these outages and what exactly they want is not clear yet: “Most cyber-crime is about money. But every now and then there are bad guys who just want to watch the world burn.”

This could all be a smokescreen, he told SC: “Using a DDoS style shut-down to focus attention in one place while your pocket is picked from another is a tactic bad guys have used for a long time. It could be that these new Mirai shut-down attacks are a new way to achieve the same ‘distract and steal' combination.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.