A new wave of attacks involving the Mirai botnet has crippled internet access for nearly a million home users in Germany. The latest attacks used a new version of the Mirai malware (Linux.Mirai) which is configured to exploit a weakness found in routers widely used in Germany.
While the original Mirai malware (Linux.Gafgyt) was designed to perform brute-force attacks on a range of routers, this latest variant exploits a weakness in the CPE WAN Management Protocol which leaves TCP port 7547 open on the device.
According to Germany’s Information Security Bureau (BSI) (German language link), the attacks began on Sunday November 27 and continued into Monday.
Although the bot payload was not able to infect Deutsche Telekom home routers, the amount of network traffic generated by other devices scanning for vulnerable targets impacted the routers' connectivity and led to some customers being cut off from the internet. Deutsche Telekom has issued patches for three of its routers (German language link) that were affected by the attacks. The company has advised customers to apply the update by turning off their router for 30 seconds and powering it back on. When the router is turned back on, it automatically downloads the new software from the server.
ZyXEL routers used by Irish telecoms firm Eir are also understood to be vulnerable to these attacks. The company said all potentially affected modems are now protected with network mitigation while it continues to deploy a firmware patch. Eir also advised customers with affected modems to change the administrative and Wi-Fi passwords.
Virulent threat to IoT devices
Mirai first appeared in September, when it was used in a huge distributed denial of service (DDoS) attack against the website of journalist Brian Krebs. The malware has since spread quickly, infecting a range of IoT devices including routers, digital video recorders and web-enabled security cameras. It caused major disruption in October, when it powered a DDoS attack on domain name system (DNS) provider Dyn that temporarily knocked a number of major websites offline, including Spotify, Twitter, and PayPal.
Guarding against attack
Users of IoT devices should take a number of precautionary measures to minimize the risk of infection from Mirai and similar threats:
- Research the capabilities and security features of an IoT device before purchase
- Perform an audit of IoT devices used on your network
- Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks.
- Use a strong encryption method when setting up Wi-Fi network access (WPA)
- Disable features and services that are not required
- Disable Telnet login and use SSH where possible
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary
- Modify the default privacy and security settings of IoT devices according to your requirements and security policy
- Disable or protect remote access to IoT devices when not needed
- Use wired connections instead of wireless where possible
- Regularly check the manufacturer’s website for firmware updates
- Ensure that a hardware outage does not result in an unsecure state of the device
Symantec and Norton products protect against the Mirai Trojan with the following detections:
To learn more about Mirai, read our blog—Mirai: what you need to know about the botnet behind recent major DDoS attacks