back to article Sh... IoT just got real: Mirai botnet attacks targeting multiple ISPs

The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so. Problems at the Post Office …

  1. Tom Paine Silver badge
    Stop

    Dammit!!

    ...might as well go back and delete all my comments on the "Hull ISP suffers router DoS attack" now!

    EDIT: I spoke too soon...

    The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc.

    No, no, no! This completely misses the point. The crashing / bricked routers aren't the intention of the attackers; it's a side-effect of presumably poorly tested exploit code being used to recruit more bots for Mirai. The disgruntled consumers are just collateral damage. The real targets will emerge

    in the next weeks / months. DDoS ransom attacks for Christmas / New Year? Something to welcome President Trump during his inauguration? Who knows. I just hope it's not us...

  2. Destroy All Monsters Silver badge
    Windows

    Declared another nefarious deed by PUTIN, out to undermine "faith in democracy"

    Begin headline in 15 minutes!

    (Faith in WHAT now?)

    1. Destroy All Monsters Silver badge

      Re: Declared another nefarious deed by PUTIN, out to undermine "faith in democracy"

      Oh, downvotes, really?

      Well, explain this then:

      German leaders angry at cyberattack, hint at Russian involvement

      German politicians say action must follow a hack that paralyzed some 900,000 internet connections. Berlin stopped short of blaming Russia, but fears are growing Moscow could try to influence the 2017 German election.

      1. William 3 Bronze badge

        Re: Declared another nefarious deed by PUTIN, out to undermine "faith in democracy"

        In a word

        "propaganda"

  3. Jess

    It's other ISPs too

    My ZyXEL router has been dropping connection since before the weekend, so has a friend's (on yet a different ISP). Until reading yesterdays articles, I had assumed either co-incidental failure, or an problem or a compatibility issue at the local exchange.) Yesterday I had no connections and reboots didn't work.

    Today I reset it and it appears to have done an update and seems OK since.

    However this is a potential man in the middle (etc) attack. Hopefully the Opera VPN I have been running will have mitigated it, and also I would hope that mint's update system would not be compromised. But would things like a Seagate NAS possible be compromised?

    I'm a bit annoyed about my ISP not at least sending out a warning email. They knew about it at least first thing Wednesday.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's other ISPs too

      My previously rock solid ADSL Netgear N1500 on Demon has also been losing its login connection several times a day this week. The ATM stays up ok. Only a reboot restores it.

      However - BT repaired a damaged phone cable somewhere on Monday. So that complicates the issue - even though it looked ok after they did the repair.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's other ISPs too

      > But would things like a Seagate NAS possible be compromised?

      Literally all gear you have connected to your internal network could be compromised.

      eg, NAS, printers, PC's, mobile devices

      It just depends on the skill and time/effort the attacker is using. No-one seems to be reporting cases of further penetration inside compromised networks, but it's early days yet.

  4. Anonymous Coward
    Anonymous Coward

    Lawyers!

    With malicious practice in place, unauthorised users could access or alter the device's LAN configuration from the WAN-side using TR-064 protocol.

    That's a new one.

    "We didn't fuck up, there was malicious practice in place!!!"

    The headline is also not fully correct, this is about InternetOfShit having repercussion in the SOHOpeless domain.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lawyers!

      Yeh. I read it as... "With our crap security in place..."

  5. PickledAardvark

    A victim report

    I own a ZyXEL P-660HN-T1A router connected via ADSL to a UK ISP. The router is updated to the latest manufacturer configuration. When the weather is wet, I suffer from a lot of line drops so I often have the router configuration page open in a background browser page. My service was up and down a lot 14 days ago and then worked normally. Two days ago, I suffered a couple of long disconnections after which the connection recovered.

    Yesterday morning was different. I noticed that the web configuration page (left open over night) displayed an internal error. I powered off/on the router which reconnected to my ISP. However I was unable to open the configuration page or to connect via Telnet. The ADSL connection was unreliable but I had enough time online to determine that my router was vulnerable and had been hacked.

    So I hard reset the router to its base settings, reapplied a three year old configuration backup, sorted out the differences, checked for obvious unnecessary services and reconnected to the internet. I have a new configuration backup but it isn't complete...

    It took about six hours for my router to be hacked again. All of the time I had the configuration/status page running in the background so I noticed two soft reboots -- just when my TV programme stopped. On the third reboot, the configuration/status page displayed the internal error again. I powered off/on the router and I was locked out from web or Telnet access -- alas I didn't try Telnet when the the web server displayed an error. The web page error, I presume, was generated when the injector hack code disabled access (chmod) to the web pages. The web server continued to run until I powered the router off.

    So I'm writing this via a hacked router which I have physically placed so that I can see the blinking lights. The ADSL and wireless connections drop out occasionally but it mostly works.

    My understanding is that the Mirai attack code (ELF binary) is held in RAM and will not survive a hard reboot. Apologies to my ISP and anyone else affected if I'm wrong. I think that I'm not hurting anyone else but I can't manage my router again until I perform another hard reset etc

    Where can I find the latest injector code? As the injector code develops, I doubt that iptables drop tcp 7547 will be enough.

    Oops, it happened again. I lost my ADSL connection and I'm still waiting for reconnection. Still waiting.

    1. NonSSL-Login
      Big Brother

      Re: A victim report

      I was watching port scans for 7547 from UK hosts increase as early as Sunday and it was obvious then what was happening so surprised it took TalkTalk and other isp's to notice and respond. Full expected to see them block that port on their edge routers.

      The botnet/worm tries the TR-064 (I actually throught it was TR-069 rather than the 064 the article mentions but may be wrong) SOAP stuff which in turn gets it to download the payload from the server. The server(s) seen had MIPS, ARM, PPC, Sparc and a few more payloads ready to download, so they were well prepared and figured they could infect a good few types of routers. All statically linked so no compiling issues.

      Always assumed these ISP control ports/protocols were back doors for GCHQ rather than for firmware updates anyway. Time to replace your ISP's router with a DSL router capable for running DD-WRT or one of it's variants to protect yourself from the WAN side.

      1. PickledAardvark

        Re: A victim report

        When I got hacked, my router services for TR-064 and TR-069 were turned off. Perhaps related TCP ports were open to other services. My router is not managed by an ISP. I do not knowingly run anything with a default password. My router was not open to management by GCHQ via an ISP; it turned out that too many daemons or services running on my router were buggy.

        A few weeks prior to the first hack I had enabled NTP on the router. I was annoyed by 1970 logs. Initially I thought that it might be the vector.

        When I was hacked for the second time, when NTP was not enabled, I concluded that there were other vectors. Like shoddy software.

      2. The obvious

        Re: A victim report

        That's a good idea - if the reliability of my DD-WRT boxes (different devices different manufacturers) is anything to go by an ELF binary will only last about 6-8 hours before the box locks up and needs a reboot anyway...

        YMMV of course.

  6. inmypjs Silver badge

    Sh... IoT

    Since when is a modem/router an "Internet Thing".

    Frankly I am not at all surprised by what is happening. ISPs providing modem/routers with management interfaces open to the net was a disaster waiting to happen.

    Glad I am using my own with remote management absolutely disabled, just hope it doesn't have any vulnerabilities with that turned off.

    1. Brian Miller

      Re: Sh... IoT

      Anything with a bit of Linux and Busybox is an IoT. SIP phones, kettles, routers, just anything. If it has a network interface and a login, it's an IoT. Imagine if everybody with a Raspberry Pi put the thing in their DMZ, with default credentials. Chaos, for the taking. Same thing here.

    2. Chronos Silver badge
      Thumb Up

      Re: Sh... IoT

      I was itching to say exactly that while R'ing TFA. It's plain old networking kit, not Internet of Acronyms. I know this industry is buzzword-led but this is El Reg; I expect a bit of respite while reading here.

    3. Chris Hance

      Acronym is almost there

      C'mon, reg, it's obviously a Security-Handicapped Internet Thing.

      And yeah, routers aren't exactly IoT in that they're supposed to defend against this kind of thong, not be vulnerable to it. But odds are they're going to use the same chips, if they don't already. "Hey, we can save ten pence per unit if we switch to this other chip that's being produced in volume for IoT devices. Sure it only has half the memory, but we can just leave out the firewall and hard-code the admin password to save space."

  7. Anonymous Coward
    Anonymous Coward

    Crap code listening on open network ports ....

    A recipe for disaster.

    1. Anonymous Coward
      Anonymous Coward

      Re: Crap code listening on open network ports ....

      And then you get a Node.js server on the other side...

  8. CJatCTi

    It looks like an ZyXEL - even those without 7547 management

    We look after a number of sites with different ISPs we buy ZyXELs for those with basic requirement and have found both AMG1202-T10B's & AMG1302-T10B's that have been taken over - just look in the time server settings.

    A port scan shows 7547 or 5555 isn't open so how they got hacked is a mystery to us & curently ZyXEL too.

    1. Anonymous Coward
      Anonymous Coward

      Re: It looks like an ZyXEL - even those without 7547 management

      That doesn't sound good at all.

      To reuse a citation from the Morris Worm Event back in the 80's ... "Where is Sigourney Weaver?"

    2. PickledAardvark

      Re: It looks like an ZyXEL - even those without 7547 management

      The injector closes ports. If a router is hacked, exploit ports will eventually be closed.

      Even so, my hacked router has flaky moments when an attacker determines its identity (potential target) and tries to break in.

  9. Anonymous Coward
    Anonymous Coward

    Next door neighbour on TalkTalk lost internet access 4 days ago

    But I'd recently setup a router flashed with DD-WRT as a guest access wifi, meaning only internet access and not computers on my lan, which I let them use because their interent speed was 2.4mbit and mine is 74mbit.

    The quote I've seen about just rebooting the TalkTalk router didn't work in this case - still no internet after power-cycling.

    They're now thinking of completely ditching TalkTalk, landline and all since they extensively use their mobiles and can use my internet.

    1. Anonymous Coward
      Anonymous Coward

      Re: Next door neighbour on TalkTalk lost internet access 4 days ago

      Loss of internet and having to deal with Talktalk's godawful "service" and corporate contempt for even its frailest and most vulnerable customers too. My sympathy is with everyone stuck with this double whammy.

  10. Anonymous Coward
    Anonymous Coward

    Our Virgin router seem to be being crashed several times most days, related attack perhaps?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019