‘Mirai bots’ cyber-blitz 1m German broadband routers – and your ISP could be next
A widespread attack on the maintenance interfaces of broadband routers over the weekend has affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany.
The German Federal Office for Information Security (BSI) issued a statement indicating that the cyber-assault, which was detected on Sunday and continued into Monday, has also targeted government networks, but has been inconsistent in its effect due to protective measures.
A modified version of the Mirai worm – which commandeered huge numbers of CCTV cameras and other Internet-of-Things gear – is now scanning home routers for security vulnerabilities, and either crashing or hijacking devices. This upgraded malware, and similar software nasties, were likely behind the weekend’s outage in Germany, by attacking the modems’ maintenance interface on port 7547.
Deutsche Telekom has issued a patch for two models of its Speedport broadband routers (Speedport W 921V, Speedport W 723V Type B) and offered affected customers a free day-pass for internet access through mobile devices while the issue gets resolved.
The Register last week reported that tens of thousands of Eir broadband modems in Ireland appeared to be vulnerable to remote takeover via TCP port 7547, following the publication of a proof-of-concept exploit.
In an email to The Register, Darren Martyn, who works at Xiphos Research in the UK, said that there are two issues with the Eir D-1000 broadband router, made by ZyXEL.
The first problem, he said, is that TR-064 interface is accessible via the internet-facing WAN port and allows remote management with no authentication.