Deutsche Telekom confirmed that more than 900,000 routers began to have serious problems connectivity problems due to a cyber attack.
More than 900,000 routers belonging to Deutsche Telekom users in Germany were not able to connect to the Internet due to an alleged cyber-attack.
The affected routers were used by the Deutsche Telekom customers also for fixed telephony and TV services.
The problems lasted at least two days, the outage began on Sunday, November 27, at around 17:00, local time.
Deutsche Telekom users all over the country were not able to connect online using the routers provided by the company.
Deutsche Telekom didn’t provide further technical details about the alleged cyber attack either the affected router models.
It is not clear which is the threat that compromised the#Deutsche Telekom routers, experts speculated the involvement of a malware that could have#prevented equipment from connecting to the company’s network.
'Security experts from#ISC Sans#published an interesting report that revealed a significant#increase in scans and exploitation attempts for a SOAP Remote Code Execution (RCE) vulnerability via port 7547 against Speedport routers.
This specific model of routers is widely used by Deutsche Telekom for German users.
“For the last couple days,#attack#against#port 7547#have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers.
This issue may already have caused severe issues for German ISP Deutsche Telekom and may affect others as well (given that the US is just “waking up” from a long weekend). For Deutsche Telekom, Speedport routers appeared to be the main issue.”#added#the ICS SANS.#
“According to Shodan, #about 41 Million devices have port 7547 open. The code appears to be derived from Mirai with the additional scan for the SOAP vulnerability. Currently, honeypots see about one request every 5-10 minutes for each target IP.”
According to the ICS SANS report, it seems that attackers tried to exploit a common vulnerability in the TR-069 configuration protocol. Experts highlighted the availability of a#Metasploit module#implementing the exploit for this vulnerability.
An unconfirmed List of vulnerable routers includes the Eir D1000 Wireless Router (rebranded Zyxel Modem used by Irish ISP Eir) and the Speedport Router (Deutsche Telekom).
Of course. when dealing with#IoT devices#and cyber threats, the most dreaded malware is the#Mirai bot#that was recently involved in several massive#DDoS attacks.
According to#BadCyber, the responsible is the Mirai botnet that was designed to#exploit Eir D100 (Zyxel Modems) via port 7547.
“TR-064 protocol is based on HTTP and SOAP and its default port is TCP 7547. Commands are sent as POST requests to this port.”#states#the BadCyber.#
!The malware itself is really friendly as it closes the vulnerability once the router is infected. It performs the following command:
busybox iptables -A INPUT -p tcp –destination-port 7547 -j DROP
busybox killall -9 telnetd
which should make the device “secure”, unless until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.”
Bookmarks