This year seems to give respite to users and Internet services worldwide, as evidenced by this new and massive attack on the routers of Deutsche Telekom which has resulted in left 900,000 users without Internet access in Germany, for several hours this past weekend.
It is crystal clear that Mirai Botnet is getting much stronger and more famous each day. What is the reason? The reason is Insecure Internet-of-things Devices. As we all know very well that how last month, the Mirai botnet hits the entire Internet offline, even it also disabled some of the world’s biggest and most popular websites.
Although the reasons for the fall in the service were not known, according to the report of the German Federal Office for Information Security (BSI) for the first time confirmed that was the result of an operation to add them to a botnet.
The data experts suggest that would be involved a modified version of the Mirai botnet, and due to that modified Mirai botnet the same responsible for the massive attack on 41 million routers which in turn affected the service of numerous websites, especially social networking and media sites and businesses last October, worldwide.
In the case of the attack in Germany, which actually took place on Sunday and Monday where most of the broadband routers are of Zyxel and Speedport brands with open port 7547, which is actually used by the suppliers in order to maintain or to manage the devices remotely, if necessary or required.
Earlier the same vulnerability also affects the Eir D1000 wireless routers which were rebranded as Zyxel Modem, deployed by Irish internet service provider Eircom, while there are no signs that these routers are actively exploited.
According to Shodan search, “around 41 Million devices leave port 7547 open, while about 5 Million expose TR-064 services to the outside world”.
But, according to the reports published by the SANS Internet Storm Center, “honeypot servers posing as vulnerable routers are receiving exploit code every 5-10 minutes for each target IP”.
However, the security firm BadCyber wrote in a blog post that “The unusual application of TR-064 commands to execute code on routers has been described for the very first time at the beginning of November, and a few days later a relevant Metasploit module had appeared. It looks like someone decided to weaponize it and create an Internet worm based on Mirai code”.
Moreover, the Deutsche Telekom has published an emergency patch for that two specific models of its Speedport broadband routers “Speedport W 921V and Speedport W 723V Type B” and not only that even the company currently rolling out firmware updates as well simply to fix this severe flaw.
Hence, they recommended all its customers to simply shut down their broadband routers and ask to wait for 30 seconds after that they instructs all its users to restart their routers in an attempt to fetch the new firmware update during the bootup process.
Currently, its authorship is unknown, but it is speculated, as in the previous case, Russian hackers were behind these actions, while we see that is a situation that can be repeated over the next year, according to evidence obtained by the researchers.