Attackers are targeting DSL routers this week with what’s being called a potent new variant of the Mirai malware that knocked offline major Internet companies like Twitter and Spotify last month.
According to Germany’s Deutsche Telekom 900,000 of its DSL router customers have already been targeted by attackers. According to the telecommunications company impacted customers are unable to connect to the Internet; phone and video services that rely on infected modems are inoperable as well.
Security experts say Deutsche Telekom will have patched most of the vulnerable routers by Tuesday, but warn millions of other DSL modems could also be vulnerable to this type of attack.
Attacks take advantage of a flawed implementation of router maintenance features implemented by two Taiwanese router manufacturers Arcadyan Technology and Zyxel, according Johannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center. Attackers are able to access TCP NTP Port 7547 to execute remote code in affected routers, Ullrich claims.
“For the last couple days, attack against port 7547 have increased substantially,” said Ullrich, adding that a successful attack would allow an adversary to do whatever they want with the router. “They could capture your traffic, they could use your router to launch an attack from or they can be used as part of a DDoS attack,” he said.
A scan of devices by the Shodan search engine reveals about 41 million routers that leave port 7547 open. Ullrich estimates that only 2 million routers could be vulnerable to attack however.
“The code appears to be derived from Mirai with the additional scan for the SOAP vulnerability,” he wrote in a security bulletin.
According to security experts, attackers are exploiting a common vulnerability in the TR-069 configuration protocol.
Stefan Ortloff, a researcher with Kaspersky Lab’s Global Research and Analysis Team, explained the vulnerability in a Securelist post on Monday.
“A vulnerability in affected routers causes the device to download the binary with file name ‘1’ from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (‘NXDOMAIN’).”
Previously Mirai used approximately 60 default passwords to break into DVRs, webcams and other IoT devices. Now what Mirai attackers have done is added a new vulnerability. Ullrich claims attackers “took the Mirai code and added that new exploit to it so now in addition to being able to scan for weak passwords, Mirai is also able to scan for routers that have this remote code execution vulnerability (TR-069).”
The TR-069 (Technical Report 069) refers to the DSL Working Group’s specification used by ISPs to remote administer modems. “The standard was never intended to support remote code execution. But that’s exactly what attackers are doing,” Ullrich said.
Infected routers also exhibit Mirai-like behavior such as deleting itself from filesystems (residing only in memory), resolving to command and control servers (using the DNS 220.127.116.11) and scanning the Internet for open TCP 7547 Ports in order to infect other devices, according to Ortloff.
Telecom provider German Telekom has pushed out a fix to impacted routers. It also recommends, since the infection resides in the router’s memory, power cycling devices to remove the malware.
Potentially impacted equipment made by Arcadyan Technology and Zyxel, neither who responded to requests for comment for this story, include Speedport Routers and Zyxel Modems. Ullrich said customers in the UK and Ireland have also reported similar open-port type attacks.
“It’s impossible to know the extent of this problem or if attacks will increase. The good news is fixing this problem is relatively simple,” he said.