A huge botnet for large-scale cyber attacks was formed by vulnerability of Wi-Fi router

ByPapanooms

It is an Internet service provider (ISP) of Germany and IrelandDeutsche TelekomWhenEircomWe had provided a Wi - Fi router for customers, but it is said that these vulnerabilities are related to the information security site provided by Kaspersky Lab of security companiesSecurelistWas pointed out by.

New wave of Mirai attacking home routers - Securelist
https://securelist.com/blog/76791/new-wave-of-mirai-attacking-home-routers/

Newly discovered router flaw being hammered by in-the-wild attacks | Ars Technica
http://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/

Securelist detected attacks that exploited the vulnerability of Wi - Fi routers that Deutsche Telekom and Eircom had offered for customers. What is vulnerable isZyxelIt seems that it is a router called Speedport made by. In common with the vulnerable routers, 7547 ports are kept open for external connections, so this is a procedure to enable ISP to manage routers from remote locations in bulk is. By sending a command based on the protocol such as TR - 069 or TR - 064 used at that time, the attacker seems to be able to illegally access the router.


According to SANS Internet Storm Center, The vulnerable router is attacked every 5 to 10 minutes. According to Johannes Ullrich. Dean of Research, it seems that the attacks came to be seen in Deutsche Telekom customers after a power outage in Germany in the weekend. Also, Deutsche TelekomPresented on their FacebookAccording to the site, it is said that 900,000 customers are using routers with vulnerabilities. In addition, Deutsche Telekom urgently calls out "restarting the router" and "applying the emergency patch" as soon as possible.

Also, at the beginning of November, the security firm BadCyber ​​reported that attacks using the port 7547 and the TR-064 protocol are being conducted targeting the same home router as this time. The search engineShodan, There are more than 41 million Internet devices with port 7547 open, and about 5 million of them use the TR - 064 protocol.

When a vulnerable router is attacked, port 80, which is a point of contact with the web, opens, enabling devices to be operated from remote locations. And from there, the attacker seems to break through the password of the router, but it seems that the password is not changed by default or it is too easy too much. In addition, when an attacker breaks through a password, it creates a router by itselfBotnetI will make it into a bot belonging to. Although it may not come as a pin as it is said to be "a member of a botnet", attackers use a huge botnet created in this way to launch large-scale DDoS attacks, so their own router does not know It is supposed to have played a part of cyber crime between.

In fact, researchers at BadCyber ​​investigated and found that some of the vulnerable routersHistorically unprecedented DDoS attack of 1 terabit per secondIt is also clear that it is connected with the command and control server of the malware "Mirai" that gave birth to the birth.