A new variant of the Mirai malware that has been wreaking havoc on IoT devices is now being used to infect home routers installed by TalkTalk in the U.K. The malware is exploiting a vulnerability to install itself on the router and then attackers are using the infected devices in DDoS attacks.
Researchers at Imperva recently discovered routers infected with the Mirai variant were attacking a site belonging to one of Imperva’s customers. The DDoS attack involved a relatively small number of infected devices–around 2,400–and peaked at about 8,600 requests per second. This isn’t a huge attack by modern standards, but what’s unusual about it is that all of the attacking IP addresses are located in the U.K. After looking into it a little bit, the researchers found that 99 percent of the devices were TalkTalk routers.
The Mirai variant that infected those routers is taking advantage of an issue with the CPE WAN management protocol ( also known as TR-064) that allows an attacker to execute remote commands on the routers. Looking into the DDoS a little further, Imperva’s researchers found some weirdness.
“We almost ruled out TR-064, as none of the random IP scans found any devices with an open 7547 port. However, when we fed the same addresses into Shodan, we discovered that these ports had been open until a few days ago. This provided us not only with the smoking gun, but also with the possible identify of the culprit,” the researchers wrote in an analysis of the attacks.
It turns out that the Mirai malware was closing port 7547 after infecting the routers as a defense mechanism. The Imperva team said it’s not clear whether this is the same variant that was used to infect hundreds of thousands of Deutsche Telekom routers last month. But, the situation highlights the weak state of security in the routers deployed by many telecoms and ISPs.
“We hope that the accumulated reports of the attacks will serve as a wakeup call for ISPs using routers susceptible to the vulnerability in the TR-064 protocol,” Imperva’s researchers said.
“With variants of Mirai already leveraging the exploit for large-scale attacks, it’s time for ISPs to proactively assume responsibility and issue emergency patches. Doing so will not only protect the privacy of their customers but also prevent their routers from falling into the hands of botnet operators, who would use them to endanger the internet ecosystem.”
Mirai has been used in a wide variety of DDoS attacks in the last couple of months, including a huge assault on Dyn, a DNS provider, that resulted in the service being knocked offline for a significant period of time. There are several separate Mirai botnets but most of the infected devices are IoT or embedded devices such as IP-enabled cameras and DVRs.
Image: Blogtrepreneur, CC By license.