Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

German ISP Confirms Malware Attacks Caused Disruptions

Users Around the World Vulnerable to Attacks on Port 7547

Users Around the World Vulnerable to Attacks on Port 7547

German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.

In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.

Since the malware only resides in the router’s memory, customers have been advised to reboot their devices in order to clean the infection. Deutsche Telekom has also released a firmware update that should prevent infections on its Speedport routers.

Germany’s Federal Office for Information Security (BSI) reported that some government networks protected by the organization were also targeted in attacks. These attacks were mitigated by the existing protection mechanisms, the BSI said.

Attacks have been observed in several countries. Researchers determined that a piece of malware based on Mirai, whose source code was leaked recently, has been using port 7547 to hijack routers and modems.

Port 7547 is utilized by the TR-069/TR-064 protocol, which ISPs use to manage devices on their networks. Security experts found roughly 41 million devices with this port open, potentially making them vulnerable to attacks.

The malware, designed to targeted Internet of Things (IoT) devices with both ARM and MIPS architectures, scans the Web for vulnerable equipment. In an effort to prevent additional exploits, the threat kills the Telnet service and closes port 7547 from the firewall.

The Mirai-based worm leverages a proof-of-concept (PoC) exploit released earlier this month, when researchers warned about the possibility of attacks via TR-064 commands on D1000 modems from Irish ISP Eir.

BadCyber reported seeing attacks against Zyxel routers in Poland. In these attacks, the hackers used a remote code execution vulnerability related to NTP server settings. It’s worth noting that Eir’s D1000 modems are also manufactured by Zyxel.

The SANS Institute reported on Monday that Austria had also seen a surge in TR-064 traffic in the last 24 hours. Shodan shows that there are roughly 53,000 devices with port 7547 open in Austria.

One researcher said he identified roughly 50 types of devices vulnerable to these attacks, including ones made by D-Link, Aztech, ZTE, Digicom and Comtrend. The affected ISPs also include Vivo in Brazil and TalkTalk in the UK.

Kaspersky Lab researchers have also monitored the attacks and noticed that the cybercriminals changed their command and control (C&C) servers to IPs used by the US military.

“Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again. For sure, this is some kind of trolling from the criminals who conducted the attack,” said Kaspersky’s Stefan Ortloff.

Related: This Web-based Tool Checks if Your Network Is Exposed to Mirai

Related: Mirai Botnet Infects Devices in 164 Countries

Related: Mirai Used STOMP Floods in Recent DDoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.