'Mirai bots' cyber-blitz 1m German broadband routers – and your ISP could be next

Malware waltzes up to admin panels with zero authentication

A widespread attack on the maintenance interfaces of broadband routers over the weekend has affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany.

The German Federal Office for Information Security (BSI) issued a statement indicating that the cyber-assault, which was detected on Sunday and continued into Monday, has also targeted government networks, but has been inconsistent in its effect due to protective measures.

A modified version of the Mirai worm – which commandeered huge numbers of CCTV cameras and other Internet-of-Things gear – is now scanning home routers for security vulnerabilities, and either crashing or hijacking devices. This upgraded malware, and similar software nasties, were likely behind the weekend's outage in Germany, by attacking the modems' maintenance interface on port 7547.

Deutsche Telekom has issued a patch for two models of its Speedport broadband routers (Speedport W 921V, Speedport W 723V Type B) and offered affected customers a free day-pass for internet access through mobile devices while the issue gets resolved.

The Register last week reported that tens of thousands of Eir broadband modems in Ireland appeared to be vulnerable to remote takeover via TCP port 7547, following the publication of a proof-of-concept exploit.

In an email to The Register, Darren Martyn, who works at Xiphos Research in the UK, said that there are two issues with the Eir D-1000 broadband router, made by ZyXEL.

The first problem, he said, is that TR-064 interface is accessible via the internet-facing WAN port and allows remote management with no authentication.

This appears to be a consequence of TR-069 – aka the Customer-Premises Equipment WAN Management Protocol – which typically makes TCP/IP port 7547 available. ISPs use this protocol to manage the modems on their network. However, on vulnerable boxes, a TR-064-compatible server is running behind that port and thus accepts TR-064 commands that configure the hardware without authentication.

The second problem, according to Martyn, is that the SetNTP Server functionality in the router's TR-064 implementation is vulnerable to command injection.

"The first issue, that of TR-064 being wide open to the internet, affects a whole host of other ISPs and vendors, and is, in fact, just as serious as the second one," said Martyn.

Martyn said he has confirmed that two routers provided by UK ISP TalkTalk are vulnerable – a ZyXEL modem and the D-Link DSL-3780. And he said that devices from T-Com/T-home (SpeedPort), MitraStar, Digicom, and Aztech are also at risk. In a tweet on Monday, Martyn said he has found 48 devices that are vulnerable to the TR-069/TR-064 issue.

All together, this suggests this particular security nightmare is widespread. It goes beyond Deutsche Telekom, Eir and TalkTalk: ISP subscribers using the aforementioned weak modems are at risk of infection or losing their connectivity until their firmware is updated.

The Register asked TalkTalk for comment today and was told that a response will not be immediately forthcoming because the working day in the UK was just ending.

"The TR-064 interface being accessible via WAN with no authentication means that just about anyone on the internet can interact with it, and reconfigure the device remotely," said Martyn.

What's at risk

An attacker could thus alter the DNS settings of the router, alter the port forwarding settings, steal Wi-Fi credentials, and update the ACS/Provisioning Server configuration settings, among other things. Changing the configuration details thus would allow an attacker to manage hijacked devices using an ISP's ACS management software, Martyn explained.

A metasploit module incorporating the vulnerability was created earlier this month. According to a post in the SANS ISC InfoSec Forum, it appears that the exploit is being used in a modified Mirai botnet.

On Monday, in an emailed statement to The Register, Eir said it has been made aware of potential security vulnerabilities in its ZyXEL D1000 and ZyXEL P-660HN-T1A devices, which account for approximately 30 per cent of its retail customers' broadband modems.

As of September, Eir had about 867,000 broadband customers, which includes 443,000 retail customers and 424,000 wholesale broadband connections. So approximately 130,000 Eir customers may be affected.

"We have been working with ZyXEL, the supplier, and we have deployed a number of solutions both at the device and network level which will remove this risk," said Eir's spokesperson. "All of the potentially affected modems are now protected with the network mitigation we have taken. We continue to deploy the firmware patch."

Eir is recommending that customers with affected modems change both the administrative password and the Wi-Fi password. The two passwords should not be the same.

A Shodan search [login required] indicates that approximately five million devices offer a service on port 7547 over the internet. While not all of these devices are necessarily vulnerable, plenty of them are. ®

Broader topics

Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover attempt

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading

Biting the hand that feeds IT © 1998–2022