UPDATE KCOM’s Broadband ISP Routers Infected by the Mirai Worm

Earlier this week we reported on how routers supplied by the Post Office, TalkTalk and others were potentially vulnerable to a modified piece of malicious software called Mirai (here), which hijacks the device. Today we learn that around 1,000 customers of KCOM’s service in Hull have also been hit.

Huge numbers of broadband subscribers across Europe have already suffered from the malware, which exploits some recently discovered weaknesses in the popular TR-069 (remote management) and related TR-064 (LAN-Side DSL CPE Configuration) protocols and implementation by ISPs.

So far various routers, such as those manufactured by T-Com/T-home, D-Link, ZyXEL, MitraStar, Digicom and Aztech, have been hit and more may follow. For example, ZyXEL’s AMG1302 (T11B and T10B) series is open to the exploit (unless the very latest firmware is applied) and this router is supplied by the Post Office. Sadly that same model is also used by some of KCOM’s broadband customers.

A Spokesman for KCOM said (here):

“We have now identified that the root cause of the problem was a cyber attack that targets a vulnerability in certain broadband routers, causing them to crash and disconnect from the network. The only affected router we have supplied to customers is the ZyXel AMG1302-T10B.

The vast majority of our customers are now able to connect to and use their broadband service as usual. Our core network was not affected at any time, and we have put in place measures to block future attacks from impacting our customers’ routers and their ability to access the internet.”

Once again we are advising all broadband ISPs that offer a router to their subscribers to check and ensure that the device is not vulnerable. Meanwhile anybody worried about the threat should read our article from Tuesday, which offers some further detail and advice.

UPDATE 5th Dec 2016

KCOM has issued the following update this morning.

KCOM Statement

From this morning, we are rolling out an automated upgrade for Zyxel AMG 1302-T10B routers which is designed to remove any service issues and remove the vulnerability that the cyber-attack exploited last week. In order to find the solution, we have been liaising with other broadband providers affected by the cyber-attack.

It is very important for all users of this router (whether you are experiencing any issues or not) to follow the simple steps below to upgrade router settings.

1. Unplug your router from the electrical socket and leave it off at least 30 seconds

2. Switch the power back on and leave your router for at least 15 minutes while the settings update automatically. The lights on the router will flash intermittently during this time. It is very important that you do not try to access the internet during this phase. This will allow your router to process the upgrade and come back online.

We expect this to clear any issues you have accessing the internet and it will also remove the vulnerability for all customers using this device.