Information Security News
Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.
Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.
SANS Dean of Research Johannes Ullrich said in Monday's post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland. They went on to identify D1000 routers supplied by Eircom as also being susceptible and cited this post as support. The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.
by Sean Gallagher
Black Friday was a dark day for San Francisco's Municipal Transportation Agency, as an apparent crypto-ransomware infection spread across the Muni system's networks, taking down ticketing for Muni's train stations and systems used to manage the city's buses. The operator of the ransomware demanded $73,000 in exchange for restoration of Muni's data, according to a report from the San Francisco Examiner.
The malware's effects were visible on screens in station agents' booths at multiple Muni train stations, which displayed the message, "You Hacked, ALL Data Encrypted." The ransom message gave an e-mail address ([email protected]) that has been tied to ransomware attacks with variants of malware known as Mamba and HDDCryptor, a class of crypto-ransomware first identified from different samples in September by Morphus Labs and Trend Micro.
A mash-up of some basic malware code with open source and freeware Windows software, HDDCryptor goes after the entire network of its victims—encrypting entire local and networked drives. The malware uses an open source disk encryption tool called DiskCryptor and identifies physical and network shares to encrypt using Windows' "GetLogicalDrives" volume management function. It also uses code from the free network password recovery software Netpass.exe. HDDCryptor then overwrites the Master Boot Record of the infected machine—in some cases forcing a reboot of the system—to display its message.
(this article is work in progress. Please let us know if you have any more details to share)
UPDATE (0830 PST/1630 GMT) - Russ
German Telekom is now offering a firmware update for the affected routers. Details (in German) are here: https://www.telekom.de/hilfe/geraete-zubehoer/router/speedport-w-921v/firmware-zum-speedport-w-921v. Affected user are advised to power off their router and power it on again after 30 seconds. During bootup the router should retrieve the new firmware from the Telekom servers.
Help URL for Detusche Telekom Customers that are affected: https://www.telekom.de/hilfe/hilfe-bei-stoerungen/anschluss-ausfall
Reviewing port 7547 scans with port 443 open results in the exclusive receipt of Zyxel SSL certificates.
depth=0 C = CN, ST = TAIWAN, L = XINZHU, O = ZyXEL, OU = DSL Unit, CN = ZyXEL, emailAddress = [email protected]
It appears they make the vulnerable routers but that they are likely sold under different brands, or distributed by ISPs using their brand.
Be sure to read comments below as well. In particular, Austria is experiencing a strong increase in TR-069 traffic within the last 24 hours. According to Shodan, there are approximately 53,000 devices reachable on Port 7547 in Austria. Most of the traffic we currently see originates from other end-user DSL modems, a lot of it especially from Brazil.
Quick Action: If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will clean the router until it is infected again. But given that the host name used no longer resolved, new infections should stop until the host name is changed again.
Update: Somewhat expected, but with the old host name l.ocalhost.host being taken down, the bot now uses timeserver.host and ntp.timerserver.host . Both resolve to 220.127.116.11 for now (Thanks Franceso). See the addition below for a list of hostnames observed in our honeypots.
For the last couple days, attack against%%port:7547%% have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This issue may already have caused severe issues for German ISP Deutsche Telekom and may affect others as well (given that the US is just waking up from a long weekend). For Deutsche Telekom, Speedport routers appeared to be the main issue.
According to Shodan, ">">A Metasploit module implementing as exploit for the vulnerability can be found here:- ). It currently resolves for me to 18.104.22.168, but others also observed 5.188.232.[1,2,3,4]. Right now, the host name appears to no longer resolve for me on Comcast, but it still resolves on other ISPs that have the data still cached.">The file 1 is a MIPS executable. Based on strings, the file includes the SOAP request above, as well as a request to retrieve a file 2 which is an MSB MIPS variant of 1. There is also appears to be a file 3">http://22.214.171.124/1
5d4e46b3510679dc49ce295b7f448cd69e952d80ba1450f6800be074992b07cc ">1: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
2: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
3: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
5: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
6: ELF 32-bit MSB executable, SPARC version 1 (SYSV), statically linked, stripped
7: ELF 32-bit MSB ">">">">">