Mirai Bots Knock Nearly a Million German Broadband Users Offline in Another Massive Cyber Assault
Nearly one million clients were knocked offline in Germany following a cyber attack. The problems first appeared around 17:00 local time on Sunday, November 27 and continued on Monday.
Over 900,000 Deutsche Telekom routers were affected in this massive cyber attack, the company said on Monday. The firm added that while some were unable to connect to the internet, others suffered intermittent problems. "We believe that influence was exerted on the routers from outside," a Deutsche Telekom spokesperson told AFP.
Telekom said that clients using some specific models of router were affected in this attack, adding that a "software" was installed on these devices preventing them from connecting to the company's network. It did not provide details of which models of router were affected. No other detailed of this possible malware was provided to the media either by the company.
Cyber attack in Germany - say thanks to Mirai, again!
Users first reported connectivity problems on Sunday, which were subsided after two hours. Similar to October's East Coast attack, the problems reappeared again today, starting 8am local time. Even after mitigating the problems, several users kept complaining about connectivity issues, with reports coming from all over the country.
Deutsche Telekom is Germany's biggest telecommunications provider, with its routers not only offering internet connectivity, but also fixed telephony and television services. Reports from Germany said that all these services were affected in the attack.
In a statement to the media, the telecom company blamed the incident on hackers. Telekom also added that it was working with equipment vendors to fix the issue and has offered a software security patch. Users were advised to shut down their routers and restart them after 30 seconds, force-installing new firmware sent by the company.
"The massive interference from connections of Deutsche Telekom, according to findings from the Federal Office for Security in Information Technology (BSI), follow a worldwide attack.” reads abendblatt.de. "According to BSI, the attacks were also noticeable in the government-protected government network, but could be repelled with effective protection measures."
Botnets and IoT - the chaos continues
It's been only over a month since a large number of users were taken offline in one of the largest cyber attacks of the internet history. Following the attack that used the Mirai malware to infect poorly-secured IoT devices, hackers then targeted Liberia to possibly test their cyber weapons.
Germany's cyber attack appears to be another assault in the same stream. Several independent security analysts have linked the attack to Mirai malware. Researchers suggested that the attackers may have exploited a Remote Code Execution (RCE) vulnerability via port 7547 against Speedport routers, widely deployed by Deutsche Telekom in the country. These routers leave Internet port 7547 open to outside connections.
"The unusual application of TR-064 commands to execute code on routers has been described for the very first time at the beginning of November, and a few days later a relevant Metasploit module had appeared," BadCyber wrote today. "It looks like someone decided to weaponize it and create an Internet worm based on Mirai code."
Kaspersky Lab also confirmed a version of the Mirai IoT malware is behind the attacks. The "malware is not able to write itself to the router’s persistent filesystem," which means the infection will not survive a reboot.
Researchers recommend changing both the administrative password and the WiFi password of your router right after restarting the device. The two passwords should not be similar, and definitely never left to the default settings.
Following the United States Presidential election, Germany appears to be the next target. The country is anxious about the impact that fake news and cyber attacks could have on its upcoming election in 2017.