Last week, Mirai-like wormware made the news again with attacks on ISPs in the UK. Specifically, customers of TalkTalk and PostOffice reported Internet outages. As with the last Mirai incident involving consumer cameras, this one also took advantage of an exposed router port.
And by an amazing coincidence, some of the overall points about these ISP incidents were covered in two recent posts of ours: injection exploits are still a plague, and consumers should learn how to change their router passwords.
Get the Free Pen Testing Active Directory Environments EBook
It’s Mirai, But It’s Not
This recent Mirai infestation started last month in Germany with perhaps up to 900,000 Deutsche Telekom customers experiencing connectivity problems with their routers.
And then it spread to the UK. But on closer analysis, security pros began to notice differences this time around.
The new variant of the Mirai malware — called Annie — probes on port 7547, not on port 23 (telnet). As every network and telecom wonk knows, that’s the port the ISPs can use to manage their routers through the obscure TR-064 protocol.
To summarize the research and analysis I’ve looked at, the attackers were able to use the protocol directly to snatch the router’s WiFi password along with the wireless network name or SSID.
To make matters worse, the attackers found a bad implementation of another TR-064 command that let them slip in or inject their own shell commands.
The shell commands do the heavy lifting by downloading and executing binaries from the attackers C2 servers that then starts the process all over again to spread the Annie worm.
The Badcyber blog has a nice write up of all this.
And the Goal Is …
By the way, all the above access did not require any authentication — no user name, no password.
Has anyone at the ISPs or the router manufacturers even heard about Privacy by Design?
I’m guessing not.
In any case, it seems the outages experienced by customers were a result of the extra traffic on the ISP’s network as more and more routers saw incoming requests on their ports.
From what we currently know, the Annie wormware leaves the routing function alone.
In other words, the DDoS aspects may have been an unintended consequence of Annie. There’s also speculation that several different cybergangs were involved, with some using another Mirai-like variant.
It was a cyber free for all.
The ultimate purpose, though, is a little unclear — other than showing that’s it’s possible to exploit vulnerable routers on an enormous scale.
TalkTalk has responded by fixing the TR-064 bug with new firmware that disables access on the open port. It also resets the WiFi password to the factory default setting — the one on the back of the box.
As I mentioned in the Mirai attack on cameras, it’s a good idea to examine your firewall port settings: if you can’t justify remote administration or other special features, simply remove all the public-facing ports.
If only average customers (long painful sigh) were better at WiFi administration, this whole attack would have been greatly diminished.
Ken Munro, PenTest Partner’s brilliant founder — I’m a fan — noticed a flaw in TalkTalk’s initial response. Since most customers never bother to change their WiFi passwords from the factory default, the scooped up passwords taken by the hackers will still be current.
Attackers could use wigle.net — see our interview with Ken — to geo-locate the router and then engage in wardriving.
So it’s possible that the WiFi passwords were the real point of this attack, and cybergangs will be reselling their massive password list on the darkweb.
Putting on my black hat, I would charge premium prices for passwords associated with execs, VIPs, and other whales.
Do This Right Now
What’s the take-away?
If you’re a TalkTalk customer, you should change your password and set all your devices to use that new password.
For the rest of us, it’s probably not a bad idea to also change WiFi passwords every so often, and please use horse-battery-staple techniques.
For enterprise IT folks who think none of this has any value to them ‘cause it’s consumer-related, remember that injection attacks and default-itis are problems for you as well.