The Mirai worm was previously responsible for outages on Twitter and Spotify as well as one of the largest DDoS attacks in history.
Almost a million customers of German internet provider Deutsche Telekom were hit by a hack this weekend that disrupted internet, TV and phone networks across the country.
At its peak, the botnet attack affected just under five per cent of the ISP’s 20 million customers in Germany, hitting 900,000 people at its peak. The German Federal Office for Information Security (BSI) confirmed the attack in a statement on its website, saying: “This failure [is part of] a worldwide attack on selected remote management ports of DSL routers. This was done to infect the attacked devices with malicious software.”
The attack exploited a security vulnerability in at least two models of Deutsche Telekom’s customer routers, allowing a malicious virus to enter through an unsecured port. The company issued a patch for two models affected by the hack (Speedport W 921V and Speedport W 723V Type B) and advised users to reboot their routers in order to clear the virus from their devices.
“There is no error pattern: some customers are experiencing temporary problems or very marked fluctuations in quality, but there are also customers for whom the service is not working at all. Based on the error pattern, we cannot exclude the possibility that the routers have been targeted by external parties with the result that they can no longer register on the network,” said Deutsche Telekom in a statement on their website.
The suspicious activity targeted unsecured transmission control protocol (TCP) ports on routers. After entering through TCP port 7547, the attack caused routers to download a binary file with the name ‘1’ and execute that file, making the router search for and infect other devices with unsecured TCP ports. Because the malware deletes itself from the the router’s filesystem, the infection should not remain on a router after it has been rebooted.
According to The Register, the attack was likely caused by a modified version of the Mirai worm, which exploits vulnerabilities in Internet of Thing devices, crashing them or using them as part of a botnet in distributed denial of service (DDoS) attacks. On September 20 2016, the Mirai botnet was used to target the website of American cybersecurity journalist Brian Krebs, directing up to 620 gigabits of traffic every second from hacked IoT devices including CCTV cameras.
“Someone has a botnet with capabilities we haven’t seen before,” said Martin Mckeay, a senior security advocate at Akamai, the company that protects Krebs’ site from cyber attacks. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere.”
In September, the Mirai source code was posted onto the hacking community website Hackforums.net. A user under the name “Anna-senpai” released the source code, saying: “Today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
After the attack on Krebs’ website, Mirai was used to attack the internet services company Dyn, causing mass outages on Twitter, Spotify and Paypal on 21 October 2016. The same source code was then used on November 15 to attack Liberia’s internet infrastructure, knocking large parts of the country offline.