UPDATE3 TalkTalk and Other ISP Routers Potentially Vulnerable to New Mirai Worm

It’s spreading fast! A newly modified version of the malicious Mirai worm, which has recently been remotely infecting masses of different broadband routers at other European ISPs (900,000+ in Germany), may soon begin to hit devices in the United Kingdom too, such as TalkTalk’s D-Link DSL-3780 kit.

The Mirai malware first came to light a couple of months ago after it infected a huge number of popular Internet connected devices, such as surveillance cameras and DVRs, which were then hijacked and turned into a gigantic botnet that was harnessed by hackers for conducting massive Distributed Denial of Service (DDoS) attacks.

Since then somebody has modified Mirai and enabled it to exploit weaknesses in the popular TR-069 (remote management) and related TR-064 (LAN-Side DSL CPE Configuration) protocols, which are commonly enabled in broadband routers supplied by ISPs and help the provider to keep your device updated with the latest firmware or to perform various other tasks (e.g. diagnostics).

Many routers that use TR-069 and TR-064 tend to leave Internet port 7547 open to outside connections (ports like 5555 may also be targeted) and the modified version of Mirai has found to way to exploit this, which appears to be based off a recently discovered proof of concept exploit (here and here).

In short, the attack can instruct TR-064 on vulnerable routers to open port 80 (usually used for HTTP website traffic) on the device’s firewall, which then allows the hacker access to its web-based admin interface. After that point a command injection can be used to exploit various weaknesses and before you know it the router has been hijacked.

Whoever is behind the attack can now steal your WiFi details, change the router’s settings (e.g. adjusting the DNS settings to snoop on your Internet traffic or conduct attacks) and basically do all sorts of nasty things with the device or your Internet connection / network traffic.

SANS Internet Storm Centre Advisory

If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will “clean” the router until it is infected again.

Somewhat expected, but with the old host name l.ocalhost.host being taken down, the bot now uses timeserver.host and ntp.timerserver.host. Both resolve to 176.74.176.187 for now.

For the last couple days, attacks against port 7547 have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This issue may already have caused severe issues for German ISP Deutsche Telekom and may affect others as well (given that the US is just “waking up” from a long weekend). For Deutsche Telekom, Speedport routers appeared to be the main issue.

According to Shodan, about 41 Million devices have port 7547 open [ISPr Ed: Only some of those will be vulnerable to this]. The code appears to be derived from Mirai with the additional scan for the SOAP vulnerability. Currently, honeypots see about one request every 5-10 minutes for each target IP.

What’s striking about this is just how many routers, often from different manufacturers, appear to be vulnerable. The attack started by hitting Eir in Ireland and then Deutsche Telekom’s Speedport W 921V and Speedport W 723V Type B (T-Com/T-home) in Germany, but it can also infect ZyXEL’s D-1000 and P-660HN-T1A, various D-Link routers and others from MitraStar, Digicom, Aztech and possibly more.

Security researchers suggest that TalkTalk’s D-Link DSL-3780 based kit may also be vulnerable, although as yet it remains unclear quite how many makes and models of router are exposed to the exploit. The Mirai code will no doubt continue to be tweaked and so even those that aren’t vulnerable today might still be exploited tomorrow.

So far none of BT, Sky Broadband or Virgin Media’s kit has been affected, although ISPs would be wise to pay attention to this threat and liaise with their partners in order to ensure that the firmware on their customer router(s) is not at risk. We did ask TalkTalk and so far the ISP has not been able to confirm whether their kit is at risk, but they are checking.

UPDATE 30th November 2016

Some readers have pointed out that the ZyXEL AMG1302 router offered by the Post Office appears to be affected.

UPDATE 30th Nov 5:03pm

The Post Office has responded.

A Post Office Spokesperson told ISPreview.co.uk:

“Post Office can confirm that on 28/11 a third party attempted to disrupt the services of its broadband customers. Although this did result in some intermittent service problems we would like to reassure customers that no personal data has been compromised.

We would like to apologise to any customers who have been experiencing issues with their Post Office broadband service.

We constantly review our systems and processes to protect our customers against incidents of this nature.

No other Post Office services were affected.”

UPDATE 1st Dec 2016

Now customers of KCOM have been hit (here).

UPDATE 2nd Dec 2016

Sadly TalkTalk forgot to give us an update 3-4 days ago when everybody else got it, but here’s what one of their spokespeople finally told us: “Along with other ISPs in the UK and abroad, we are taking steps to review the potential impacts of the Mirai worm. A small number of customer routers have been affected, and we have deployed additional network-level controls to further protect our customers.” By “small” they still mean many.. many thousands.