Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

100,000 UK Routers Likely Affected by Mirai Variant

Approximately 100,000 UK TalkTalk and Post Office ISP users were affected by the recent Mirai attack that severely affected nearly a million Deutsche Telekom customers in Germany in late November. It was assumed that the UK victims were the outer ripples of the primary attack; and this was confirmed by a subsequent report that quoted the Mirai developer as apologizing for the effect on the Post Office.

Approximately 100,000 UK TalkTalk and Post Office ISP users were affected by the recent Mirai attack that severely affected nearly a million Deutsche Telekom customers in Germany in late November. It was assumed that the UK victims were the outer ripples of the primary attack; and this was confirmed by a subsequent report that quoted the Mirai developer as apologizing for the effect on the Post Office. The UK disruption was apparently an accident and not done intentionally.

This version of events is now questioned by the findings of Pen Test Partners. Senior consultant Andrew Tierney reported Friday that the effect on TalkTalk routers was different to the effect on Deutsche Telekom routers. “We can’t see what is causing the claimed ISP outages for TalkTalk and the Post Office reported in the press. It shouldn’t stop the router routing, and as of yet, the bots haven’t taken part in any attacks.”

Pen Test Partners concluded, “Whilst the spread and purpose of the bot net is similar to Mirai, there are enough differences with this variant that it should really get a new name.”

In a subsequent post on Saturday, Tierney seems to have named the second worm ‘Annie’.

“The TR-064 security hole that was reported this week is really nasty,” he reported. “The worm that exploits this is being referred to as ‘Annie’. Attackers appear to have cottoned on to the fact that the TR-064 vulnerability can be used for more than just recruiting the router into a botnet.” The additional purpose, he suggested, is to steal the router’s WiFi network key. Worryingly, he also claims that the fix pushed out by TalkTalk will most likely not solve the problem.

Following the incident, TalkTalk published its solution: customers should switch off affected routers and leave them for 20 minutes while they update with new software. “After 20 minutes try and access the internet again, if you’ve changed your wireless details then you’ll need to use the wireless network name and password on the back of the router.”

But Tierney sees a problem with this: it won’t work as a fix. “Nearly all customers never change their Wi-Fi key from that written on the router. Why would they? I’ll bet many don’t even realize they can.” So what happens is that Annie steals the key, and “the TalkTalk fix simply resets the router, to the exact same keys that have already been stolen!!”

Having acquired the WiFi key, a hacker can listen in to communications and infect the network with additional malware. He would need to be in close physical proximity to the router (outside, perhaps in a closely parked vehicle); but, added Tierney, “if you know the SSID (also stolen using the Annie worm) you can use databases such as https://wigle.net to find your victim’s house.” His solution is that TalkTalk “should be REPLACING all customers routers urgently;” possibly as many as 55,000.

Advertisement. Scroll to continue reading.

TalkTalk itself is not currently keen to do so. A spokeswoman told the BBC that the number of infected routers had been “nothing in that order of magnitude”. She added, “Our security team does not believe there is any greater risk that a customer’s wi-fi can be used or accessed without their permission as a result of this.”

Dr. Steven Murdoch from University College London suggested something in between the two positions. “It’s possible [the perpetrators of Annie] are just security researchers, but also reasonably possible that they are actually criminals that intend to exploit this information.” He doesn’t believe that TalkTalk needs necessarily recall all the routers: “The hardware is fine, what needs to be replaced is the wi-fi password.”

He does, however, admit that this is difficult. “If TalkTalk does this online or over the phone, that leaves the customers open to phishing attacks, where a scammer says: ‘As you heard on the news you need to change your password, please do these things…’”

TalkTalk remains adamant that even the password change is unnecessary. Given its recent hefty fine by the UK’s Information Commissioner following last year’s breach, it must be very confident.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.