Massive German web outage blamed on new Mirai variant



Written by

The outage that knocked nearly a million customers of German ISP Deutsche Telekom offline last weekend was caused by a new variant of the Mirai botnet — this one designed to target as many as five million potentially vulnerable home internet routers all over the world — according to security researchers.

“This is a very heavily modified version of Mirai,” said Allison Nixon, director of threat research at Flashpoint told CyberScoop, “It may even end up being called something else.”

Like the original Mirai, the new variant begins broadcasting attack traffic once it’s infected a device, aimed at compromising other similarly vulnerable devices. However, the new variant doesn’t rely on hard coded default passwords, but instead exploits a recently discovered vulnerability in many kinds of home internet routers. Essentially, the new variant exploits a standard protocol, known as TR-069 or TR-064, that’s designed to allow the ISP to remotely manage the router.

“It’s very simple remote command execution vulnerability,” said Nixon. A security blogger calling him or herself “Kenzo2017” posted details of the vulnerability earlier this month — and a “proof of concept” exploit that actually weaponized it against a router used by Irish ISP Eir.

In a statement  this week, Deutsche Telekom said its routers were not actually vulnerable to the exploit, but the volume of attack traffic generated by the worm knocked more than 900,000 customers offline.

“The attack was not successful, the routers were not infected,” the statement said, “However, because of the attack the routers of our customers were overloaded and crashed.”

Nonetheless there are many mass market home routers that are vulnerable, and as Johannes Ullrich from the SANS Internet Storm Center told CyberScoop, “The disclosure certainly wasn’t done right.”

Kenzo2017 does not appear to have contacted the manufacturer or ISP whose customers had the devices installed that he found to be vulnerable. Nor does he appear to have notified any Computer Incident Response Team. “There is no mention of [the ISP] being notified of this issue. I also can’t find a CVE number for this vulnerability,” noted Ulrich in a blog post.

But Ullrich told CyberScoop he hadn’t been able to find any security disclosure contact information posted on the ISP’s website. “I do think companies should have a specific publicized security contact,” he said, “There should also be a PGP key to allow a submitter to encrypt critical information.”

Ullrich added that it didn’t seem Kenzo2017 had realized the widespread implications of the vulnerability “aside from the particular … modem that he looked at.”

Nixon said that the speed with which the new variant attackers were able to “incorporate the exploit into their criminal scheme,” along with the “level of sophistication and experience” they exhibited and the fact that they have invested heavily in a robust and resilient command and control infrastructure strongly suggests that they are an organized criminal enterprise.

“This is definitely not their first botnet,” she said. Indeed the infected devices were being recruited into existing Mirai botnets to boost the power of the distributed denial of service, or DDoS, attacks they were launching.

Flashpoint reported earlier this month that, since its source code had been made public in October, the original botnet it controlled had splintered as hackers vied with each other for control of the large, but not inexhaustible, pool of vulnerable devices.

Some estimates put the number of routers with vulnerable TR-064 or -069 protocols as high as five million worldwide, Nixon noted, so it isn’t just the 900,000 customers of Deutsche Telekom who could be impacted.

“We don’t yet know the potential scope of this infection,” she said, but added that Flashpoint researchers had seen infections as far afield as Brazil, Britain, Turkey, Iran, Ireland and Thailand.

She said that a firmware update from Deutsche Telekom should fix the routers, so long as customers rebooted them.

“We’ve not seen anything” from any of the other ISPs with potentially vulnerable routers, she noted.