What appears to be the biggest botnet so far – Mirai has created yet another menace, this time for the German company, Deutsche Telekom. The botnet has managed to login to the admin panel of most broadband routers, affecting the performance of over 900,000 customers.
The BSI office (German Federal Office for Information Security) has come up with a statement regarding this massive and automated cyber-attack, detected during the last weekend of November, 2016.
From the report we can also understand that there may have been a modified version of the Mirai worm, which was released open to the public, resulting in massive havoc. This modified variant has begun to cause attacks and infections on multiple CCTV cameras as well as IoT devices of different type.
What Does This Mirai Variant Do?
It was estimated that Mirai has used the maintenance interface on the german modems, more specifically the malware attacked port 7547.
This allowed Mirai to gain even administrative access to routers, giving it the power to perform anything that can be modified from the router’s admin panel .
As soon as there is control over routers and other IoT devices the worm attacks, they are “put out of business” temporarily.
Why Did Mirai Successfully Infect The Devices
According to researcher Darren Martyn who contacted The Register, there were several issues that were opportunities for the worm when it came to infecting users.
The first complication derives from one of the interfaces of the devices, called “TR-064”. This interface was accessed via it’s WAN port which is interconnected with the internet and the device can be managed remotely via this port without any authentication requests at all.
But this is not all, another interface “TR-069” also has the issue of enabling TCP/IP port 7547, which Mirai was configured to take advantage of. But since the 069 TR interface is basically a WAN Management Protocol it is not used for nothing. Fact is that most ISPs usually use this very protocol in order to manage their own networks from distance and hence fix issues faster. But the situation is that this interface is also connected to a server which has TR-064(the first issue) compatibility. This means that if a server is attacked on TR-064, it can accept those commands via 7547 without any additional configuration or authentication between the two interfaces.
Another issue according to the researcher is that the router had another vulnerability which is again on TR-064 interface and allows the botnet to inject scripts with command and hence render the device temporary useless.
And this 069/064 issue is not something that is present on one or two devices as well. Martin claims he also discovered more than 40 devices including Digicom, Aztech, D-Link and other big names to be vulnerable to this exploit as well.
This being the case, it is now quite clear why the virus became so widespread and this raises the “danger level bar” of Mirai attacks even more. Keep in mind that victims of this malware may not only be users in Germany and given the rate at which this variant is spread, it can infect any ISP on the world as of this moment.
The Destruction of Mirai
Let us take a look at several hypothetical scenarios that can happen when there has been an attack by Mirai. If an attacker is controlling this modified version this means that he can change crucial settings such as the DNS address the devices use to connect as well as settings that can allow him to snoop crucial information from those devices. And we are not only talking about stealing a wi-fi password and SSID here, this information is massive and even user passwords may be obtained.
But this is not all, in terms of damage. The hacker behind this botnet can also manage the devices and here we are talking about control of almost 1 million devices via ACS management software normally available only to ISP’s.
The issue is now fixed and hopefully will not be repeated in the future and experts are still working on it. In the meantime all users of the telecom should change important credentials, such as passwords of crucial accounts to increase security.
As soon as the massive attack was discovered, the company responsible for the devices, Deutsche Telekom has patched the routers and offered free access via their mobile devices, at least until they cope with the attack.