The attack on Deutsche Telekom customers was performed using an altered version of the Mirai malware
The attack on Deutsche Telekom customers was performed using an altered version of the Mirai malware

Deutsche Telekom customers were attacked with a new variant of Mirai malware according to researchers. Not only did the researchers detect a new variant but assessed, “with high confidence” that this was an attempted power grab by a Mirai botmaster, to massively expand their botnet.

Deutsche Telekom customers faced massive outages over the weekend, resulting in disruptions to around 900,000 customers or five percent of the customer base. Deutsche Telekom initially guessed that the attack was performed using Mirai malware.  

Flashpoint confirmed those suspicions in a recent blogpost. The malware used in the attack is based on Mirai with several key differences. First, while the original Mirai propagates over TCP/23 and TCP/2323 this variant used TR-064 and TR-069 over port 7547. Second, Mirai guesses the passwords of targeted devices from a library of common passwords and this new variant leverages a known vulnerability to gain access to its targets.

Furthermore, Flashpoint believes that the attack on Deutsche Telekom customers was part of a larger attempt to grab hundreds of thousands of new recruits for a Mirai botnet.

Ronnie Tokazowski, senior malware analyst at Flashpoint, told SC, that he believes a botmaster was behind the attack: “There are overlaps in previous Mirai infrastructure with the newer Mirai samples, strongly suggesting that the existing botmasters were the ones who updated the malware.” This existing infrastructure is likely part of a rentable botnet.

Flashpoint also noted the existence of millions of infected devices not only in Germany, but in Brazil and the UK, too. While researchers can't put an exact number on the numberof infections, researchers estimate there are five million  vulnerable devices worldwide. Flashpoint could not answer who manufactured these infected or vulnerable routers, nor who they are served by.

Mirai has made a name for itself in recent months for its involvement in some of the largest DDoS attacks ever recorded. It first made its mark with the DDoS attack on the Krebs on Security website with a flood power of 620 Gbps. The next month, the Dyn DNS provider was attacked with a DDoS attack of over 1 terabyte, the largest on record.

Mirai's footprints were later seen in an attack on the African nation of Liberia, which resulted in major outages across the country.

Importantly, the malware builds its botnets through IoT devices: CCTV cameras,recorders and in this case, routers.

Once Mirai infects a device, it scans for other vulnerable devices, attempts to guess its password and once it successfully infects the device, starts the process again.

While apparently not a particularly complex or formidable piece of malware on its own, Mirai's strength derives from the weakness of the IoT. Graham Mann, MD of Encode Group UK, told SC that the sheer numbers of vulnerable IoT devices “provide attackers with immense computing power from which to mount devastating DDoS attacks”.

He added, “IoT devices are soft targets, they can be anywhere in the world, they won't have AV or security, owners will rarely update the firmware or configure them, and the majority of owners will have no idea that their devices are being misused for nefarious purposes.”

Deutsche Telekom's customers used routers from Arcadyan Technology, a Taiwan-based manufacturer. Deutsche Telekom said that it would now be reviewing its relationship with the company.

Steve Armstrong, MD of Logically Secure, told SCMagazineUK.com that he thinks governments need to hold vendors to account: “At a national level, I personally hope that governments are going to come down hard on vendors of these mass deployed internet devices (e.g. consumer broadband routers) that [are insecure].”

Soon, says Armstrong, someone's going to aim a botnet of these devices at a piece of critical infrastructure but “until someone breaks something that the government cares enough about, there will be no enforcement of change. In the meantime, let us hope that vendors start selling more secure equipment and opening up their back catalogue of devices and see what is fixable now and what needs a hardware refresh.”