Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

German ISP Confirms Malware Attacks Caused Disruptions

Users Around the World Vulnerable to Attacks on Port 7547

Users Around the World Vulnerable to Attacks on Port 7547

German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.

In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.

Since the malware only resides in the router’s memory, customers have been advised to reboot their devices in order to clean the infection. Deutsche Telekom has also released a firmware update that should prevent infections on its Speedport routers.

Germany’s Federal Office for Information Security (BSI) reported that some government networks protected by the organization were also targeted in attacks. These attacks were mitigated by the existing protection mechanisms, the BSI said.

Attacks have been observed in several countries. Researchers determined that a piece of malware based on Mirai, whose source code was leaked recently, has been using port 7547 to hijack routers and modems.

Port 7547 is utilized by the TR-069/TR-064 protocol, which ISPs use to manage devices on their networks. Security experts found roughly 41 million devices with this port open, potentially making them vulnerable to attacks.

The malware, designed to targeted Internet of Things (IoT) devices with both ARM and MIPS architectures, scans the Web for vulnerable equipment. In an effort to prevent additional exploits, the threat kills the Telnet service and closes port 7547 from the firewall.

Advertisement. Scroll to continue reading.

The Mirai-based worm leverages a proof-of-concept (PoC) exploit released earlier this month, when researchers warned about the possibility of attacks via TR-064 commands on D1000 modems from Irish ISP Eir.

BadCyber reported seeing attacks against Zyxel routers in Poland. In these attacks, the hackers used a remote code execution vulnerability related to NTP server settings. It’s worth noting that Eir’s D1000 modems are also manufactured by Zyxel.

The SANS Institute reported on Monday that Austria had also seen a surge in TR-064 traffic in the last 24 hours. Shodan shows that there are roughly 53,000 devices with port 7547 open in Austria.

One researcher said he identified roughly 50 types of devices vulnerable to these attacks, including ones made by D-Link, Aztech, ZTE, Digicom and Comtrend. The affected ISPs also include Vivo in Brazil and TalkTalk in the UK.

Kaspersky Lab researchers have also monitored the attacks and noticed that the cybercriminals changed their command and control (C&C) servers to IPs used by the US military.

“Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again. For sure, this is some kind of trolling from the criminals who conducted the attack,” said Kaspersky’s Stefan Ortloff.

Related: This Web-based Tool Checks if Your Network Is Exposed to Mirai

Related: Mirai Botnet Infects Devices in 164 Countries

Related: Mirai Used STOMP Floods in Recent DDoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.