A quick scan revealed the over 99% of the malware-infected home routers belonged to the TalkTalk Telecom network, according to researchers at security firm Imperva.
The release of the Mirai malware code on an underground forum in October raised fears of a surge in DDoS attacks using hijacked devices such as routers that make up the internet of things (IoT).
Shortly afterwards, the Mirai botnet was used to carry out DDoS attacks on domain name system (DNS) services supplier Dyn that rendered a number of web services unuseable, including Netflix and Twitter.
Within weeks, a Mirai variant caused the mass shutdown of Deutsche Telekom routers, reportedly affecting over 900,000 customers. The variant was designed to exploit a newly discovered TR-064 protocol vulnerability to hijack network routers.
Deutsche Telekom issued an emergency patch for its customers, but a similar router-based Mirai botnet was found to be operating out of the UK just days later.
TR-064 is a widely used protocol that many ISPs employ to remotely manage network routers, but standard commands can be modified to enable hackers to do things such as open port 80 for remote access, obtain Wi-Fi passwords and inject malware into the device, said the researchers.
GET and POST flood attacks
Six days after the Deutche Telekom router shutdown, the researchers said a UK-based bitcoin company website using the Incapsula service was hit by ongoing GET and POST flood attacks.
The attack peaked at over 8,600 RPS (requests per second). It then scaled back to a steady flow of 200 to 1,000 RPS, directed toward two specific pages on the client’s website.
“The offenders’ persistence, as well as its choice of targets, shows this to be a premeditated offensive – not the typical random burst launched from a rented DDoS-for-hire service,” said the researchers.
The most interesting aspect of the attack was that all 2,398 attacking IPs were located in the UK, which is an uncommon IP distribution for DDoS botnets.
A regional botnet typically indicates a vulnerability in a device supplied by local retailers, and in this case, it turned out to be routers supplied by TalkTalk.
The Imperva researchers nearly ruled out TR-064, as none of the random IP scans found any devices with an open 7547 port. However, when they fed the same addresses into the Shodan search engine for internet connected devices, they discovered these ports had been open until “a few days ago”.
Read more about Mirai
- Customers of broadband internet service providers (ISPs) Post Office Broadband and Kcom have been hit by a cyber attack perpetrated by the evolving Mirai internet of things (IoT) botnet.
- Organisations with an online presence should prepare for terabit-class Mirai IoT botnet-based DDoS attacks that could knock almost any business offline or disable chunks of the internet.
- The Mirai DDoS attack on DNS firm Dyn at the end of October 2016 highlighted both the vulnerability of the world’s internet infrastructure and the dangers of leaving devices unsecured.
- A new nematode worm proof of concept could help the internet avoid the next massive Mirai IoT botnet DDoS attack, but experts are unsure of the legality of the option.
The researchers believe the Mirai variant used in this case is capable of nesting itself in the target device and then shutting the door behind itself.
“We hope the accumulated reports of the attacks will serve as a wake-up call for ISPs using routers susceptible to the vulnerability in the TR-064 protocol,” said the researchers.
With variants of Mirai already using the exploit for large-scale attacks, the Imperva researchers urged ISPs to issue emergency patches to protect the privacy of their customers and prevent their routers from falling into the hands of botnet operators, who could endanger the internet ecosystem.
TalkTalk under fire
TalkTalk has issued a fix for the vulnerability that closes the TR-064 interface and resets the router, but the firm has come under fire for not forcing customers to change their router passwords.
Penetration testing firm Pen Test Partners uncovered evidence that TalkTalk and other ISP customers that use similar routers are likely to have had their Wi-Fi keys stolen, opening them up to hackers.
The fix issued by TalkTalk resets the routers to what they were before the attack, which means the attackers still have valid passwords for the affected routers.
However, TalkTalk maintains there is “no need” for users to change their router settings, according to the BBC.
A spokesperson of the firm said they could change their router passwords “if they wish”, adding that she believed there was “no risk to their personal information”.
“It does a disservice to the complicated debate around security and privacy to give out advice of this fashion,” said Don Smith, technology director at Dell SecureWorks.
“TalkTalk appear to be flying fast and loose with customer data security, yet again,” said Pen Test Partners’ Ken Munro.
In contrast with TalkTalk’s approach, Irish ISP Eir told the BBC it is advising customers to reset their routers and change both the router administration and wi-fi passwords.