Deutche Telekom has said an incident that took 900,000 customers offline on Sunday and Monday was caused by an attack, but not on Deutsche Telekom itself. Instead, this was a botched botnet campaign, in which an attacker was trying to install the Miarai malware onto home routers, so they could be used in attacks on other victims..
Around 4.5 percent of DT’s fixed line customers suffered problems getting online until the outage tailed off on Monday. The company’s head of security Thomas Tschersich has said the cause of the trouble was an unknown attacker attempting to use malware to recruit customers’ Speedport routers into the Mirai botnet, which has responsible for distributed denial of service (DDoS) attacks including a giant hit on the Dyn directory service in October.
Your routers belong to… oops
“In the framework of the attack, it was attempted to turn the routers into a part of a botnet,” Tschersich told the newspaper Der Tagesspiegel, according to a report by Reuters.
The Mirai botnet has crystalized fears that the rapid expansion of the Internet onto ever more consumer devices is creating new security risks if those devices can be subverted.
Last month’s attack on Dyn was launched form Mirai bots mostly installed on webcams and digital recorders from China. Telekom’s Speedport routers are sourced from a number of Asian vendors, but it seems that models made by Arcadyan Technology of Taiwan were involved in this attack - as the company has supplied firmware updates to three Arcadyan devices.
The problems were experienced across Germany, including Berlin, Hamburg, Düsseldorf, Frankfurt, Stuttgart and Munich.
Alex Mathews, EMEA technical manager at Positive Technologies agreed the problem looked like a broken botnet: “Hackers are not very interested in broken routers, they prefer to take control over working routers, and use them for other attacks.”
Deutsche Telekom has not revealed the vulnerability used in the campaign. Previous Mirai botnets have relied on poor security in the devices they use, looking for well-known default passwords, said Mathews: ”On the other hand, the malware authors can use more serious, unknown vulnerabilities in routers’ firmware or in communication protocols. In this case, users hardly can do anything to protect themselves.”