Security Experts:

German ISP Confirms Malware Attacks Caused Disruptions

Users Around the World Vulnerable to Attacks on Port 7547

German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.

In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.

Since the malware only resides in the router’s memory, customers have been advised to reboot their devices in order to clean the infection. Deutsche Telekom has also released a firmware update that should prevent infections on its Speedport routers.

Germany’s Federal Office for Information Security (BSI) reported that some government networks protected by the organization were also targeted in attacks. These attacks were mitigated by the existing protection mechanisms, the BSI said.

Attacks have been observed in several countries. Researchers determined that a piece of malware based on Mirai, whose source code was leaked recently, has been using port 7547 to hijack routers and modems.

Port 7547 is utilized by the TR-069/TR-064 protocol, which ISPs use to manage devices on their networks. Security experts found roughly 41 million devices with this port open, potentially making them vulnerable to attacks.

The malware, designed to targeted Internet of Things (IoT) devices with both ARM and MIPS architectures, scans the Web for vulnerable equipment. In an effort to prevent additional exploits, the threat kills the Telnet service and closes port 7547 from the firewall.

The Mirai-based worm leverages a proof-of-concept (PoC) exploit released earlier this month, when researchers warned about the possibility of attacks via TR-064 commands on D1000 modems from Irish ISP Eir.

BadCyber reported seeing attacks against Zyxel routers in Poland. In these attacks, the hackers used a remote code execution vulnerability related to NTP server settings. It’s worth noting that Eir’s D1000 modems are also manufactured by Zyxel.

The SANS Institute reported on Monday that Austria had also seen a surge in TR-064 traffic in the last 24 hours. Shodan shows that there are roughly 53,000 devices with port 7547 open in Austria.

One researcher said he identified roughly 50 types of devices vulnerable to these attacks, including ones made by D-Link, Aztech, ZTE, Digicom and Comtrend. The affected ISPs also include Vivo in Brazil and TalkTalk in the UK.

Kaspersky Lab researchers have also monitored the attacks and noticed that the cybercriminals changed their command and control (C&C) servers to IPs used by the US military.

“Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again. For sure, this is some kind of trolling from the criminals who conducted the attack,” said Kaspersky’s Stefan Ortloff.

Related: This Web-based Tool Checks if Your Network Is Exposed to Mirai

Related: Mirai Botnet Infects Devices in 164 Countries

Related: Mirai Used STOMP Floods in Recent DDoS Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.