Mass router compromise takes out Deutsche Telekom customers
German government, consumers among collateral damage as bot router attack goes sour – 40m devices potentially vulnerable
What looked initially like a massive internet outage in Germany has been linked to a global campaign by Mirai Botnet herders that has seen attacks in UK, Brazil, Iran and Thailand.
Deutsche Telekom, Germany's largest telecom company, said internet outages hit as many as 900,000 of its users earlier this week, or about 4.5 per cent of its fixed-line customers. The company said some customers were seeing “very marked fluctuations in quality, but there are also customers for whom the service is not working at all”. Victims of the outage included German government offices.
The fluctuations in service appear to have been caused by a new attack module added to the Mirai Botnet code, which previously hit the headlines when it was used to attack Dyn, causing international delays in everyday internet traffic. Previously the botnet relied on compromising devices with weak admin/password combinations, but the new module was designed to exploit a flaw in TR-069, a standard that allows ISPs to manage broadband modems remotely via Port 7547.
The scope of the attack is considerable - according to SANS, the number of devices listening on port 7547 is as large as 40 million, although not all of these are necessarily vulnerable. “My personal best guess is that this vulnerability may have added 1-2 million new bots to the Mirai botnet. Some tests done by Darren Martyn show that modems used by UK ISP TalkTalk, D-Link DSL 3780s, and modems made by MitraStar, Digicom and Aztech are all vulnerable. He states that he found 48 different vulnerable devices”, said Johannes B. Ullrich in a blogpost.
"It was a global attack against all kinds of devices," said Dirk Backofen, a senior Deutsche Telekom security executive told Reuters. So far, so botnet 101, but the scale of this attack is pretty audacious - albeit unsuccessful, as a ‘coding flaw’ meant that the routers crashed rather than run the exploit - and has even led to calls for legal action.
In an interview with newspaper Bild published on Wednesday, Interior Minister Thomas de Maiziere called for firms that manufacture IT equipment to be held to greater account. "Responsibility for digital security is borne by users, company managers, authorities, manufacturers, providers and service providers alike," he said.
"This involves a fair distribution of loads. This appears to me not always to be a given in the area of end products for the user. Customers, at any rate, need to be able to rely on the security of IT products on the market," he added.
Of course, the only thing that is certain in IT security terms is that entirely reliable security is not cheap, if possible at all. While businesses are spending more than ever on IT security - the UK government has announced a £1.9bn increase in spend, while business analysts predict a five-year compound annual growth rate (CAGR) of 17.0% - it’s not necessarily being spent more effectively.
Ilia Kolochenko, High-Tech Bridge CEO agreed: “Spending more does not mean spending better. Omitting security “solutions” based on slightly tuned and beautifully packed opensource, there are some very good products that may be just wrong and inappropriate for a particular organization. A solution that is successfully mitigating threats at largest banks, may be inappropriate for insurances, governments or SMBs.
“Today, many cybersecurity companies are backed by profit-hungry VCs, who usually push them to sell and maximize income by all available means. At the end of the day, their clientele blindly acquire inappropriate and inadequate solutions, get hacked and start losing their confidence in cyber security industry’s ability to defend them.
“Another important factor is a significant growth of digitalization trend – more and more common processes become digital and migrate to the Internet. Obviously, this significantly boosts the scope of attackable devices and systems, opening new opportunities for attackers.”