Mirai botnet hits Post Office Broadband and Kcom customers

Customers of broadband internet service providers (ISPs) Post Office Broadband and Kcom have been hit by a cyber attack perpetrated by the evolving Mirai internet of things (IoT) botnet. It targeted consumer broadband routers, leaving large numbers unable to access the internet.

The exploit targeted a vulnerability in Zyxel’s AMG1302-T10B wireless routers that caused them to crash and disconnect from the internet. The attack began over the weekend and is thought to have affected about 100,000 users.

The same attack is also understood to have hit routers issued to customers by German telco Deutsche Telekom earlier this week. These devices, sold under the brand name Speedport, were not made by Zyxel.

The attack exploited an unsecured transmission control protocol (TCP) port on affected devices.

A Post Office spokesperson confirmed that an attack by an unnamed third party had disrupted services beginning on 27 November, affecting certain types of router.

“Although this did result in service problems, we would like to reassure customers that no personal data or devices have been compromised,” the spokesperson said. “We have identified the source of the problem and implemented a resolution which is currently being rolled out to all customers.

“We would like to apologise to any customers who have been experiencing issues with their Post Office broadband service. For those customers who are still having problems, we are advising them to reboot their router.

“We constantly review our systems and processes to protect our customers against incidents of this nature. No other Post Office services were affected.”

Kcom, which provides the incumbent telecoms service in Hull and parts of East Yorkshire instead of BT, acknowledged that a number of its customers had been experiencing issues since Saturday 26 November.

However, a spokesperson said, the ISP’s core network was not affected, and the vast majority of customers could now use their broadband as normal after it remotely applied a software patch for affected routers.

“The cyber attack is not limited to Kcom customers,” said a spokesperson. “Large numbers of customers of other UK and European communications providers have also been impacted. We have provided formal notification of the attacks to the communications regulator, Ofcom, and will continue to work with other UK communications providers to ensure a consistent approach to mitigating this threat.”

Pavel Šrámek, malware analyst at Avast, said router suppliers needed to collaborate with the security sector to find solutions to make their equipment more secure, as such attacks were bound to recur, and could easily compromise other connected home devices.

“Security software should be implemented directly in the router, which is the central point of the home network that connects all smart home devices to the internet,” said Šrámek.

Researchers at security firm Flashpoint said up to five million routers could be vulnerable to the new Mirai code around the world.

Zyxel said the flaw meant unauthorised users could access or alter the device’s local area network (LAN) configuration from the wide area network (WAN) side, but said it was important to note that the vulnerability could only be exploited when certain functions, which are usually turned off by default, were enabled.

“We are aware of the issue and assure our customers that we are handling the issue as a top priority,” the company said. “We have conducted a thorough investigation and found that the root cause of this issue lies with one of our chipset providers.

“We have examined all CPEs within their warranty and support period, and are now in communication with all our service provider customers, rolling out a fix to the firmware affected.”