Die Deutsche Telekom, the mass failure of routers to adhere to since the weekend, the suspicion of a hacker attack. “We expect an influence from the outside,” said a spokesman for the company. According to the first analysis of the Federal office for information security (BSI) have made a mistake, the attacker this Time – the Speedport Router crashed, a malicious software was not able to install the culprit, however. “This Time we were lucky, the attack did not work properly,” said BSI President Arne Schönbohm of the “world”.
Since Sunday morning, the Bonn-based telecommunications recorded a consolidated nationwide problems with its DSL connections. More than 900,000 of the approximately 20 million fixed line customers are concerned, you can’t use your connection: to anyone Who has booked at the Telekom one of the Magenta-complete offers, could make phone calls in the past two days in part, nor surf the Internet, or television – these applications are in current Telecom DSL connections are all combined and run on the Speedport Router Telekom.
The Telecom self-reported on Monday that it had identified various speed port models as the cause of the problems. While the DSL network infrastructure, Telekom is working properly, the Router on the customer side, some completely crazy: “There is no clear error image: Some experience intermittent restrictions or very strong fluctuations in the quality, but there are also customers who currently goes nothing,” said a Telekom spokesman.
an error detector sites in the network, it became clear: The outages are not bound to certain places or types of Line, but across the country distributed. Common denominator just the speedport Router Telekom, which the group rented out to its DSL customers. Therefore, the group is suspected of a hacker attack on the device: “as a result of the error image is not excluded that on Router a targeted influence from the outside was taken, with the result that they can no longer log in to the network,” said a spokesman for the group.
On Monday, evidence that the unknown perpetrator could use the remote maintenance interface of the speedport devices for attacks compressed. Accordingly, the Telekom-Router, only the most prominent victim of the global attack on a DSL Router that share a common weak point. CERT-Bund Computer emergency response team at the Federal office for information security (BSI), released on Monday afternoon via the short message service Twitter is a network-analysis – and- eye scan addresses unknown perpetrator since the night of Saturday to Sunday, the world a million times DSL connections to an open network port number 7547. This Port is typically used for the remote maintenance interface, TR-069 and TR-064. Through this interface, the telecommunication provider such as Telekom can make to the ongoing operation, Changes to the Router or Software Updates remote control command.
But in the past four years, had already been attacked on several occasions Router on this interface from hackers – 2012, for instance, has several Router models, the customers of Telefonica O2 target of attacks. The Telekom is not the speedport devices themselves, but to purchase so-called OEM devices, which are individualized by Asian manufacturers such as Arcadyan or Huawei for the German market with the Telecom brand.
The exploited vulnerability found security researchers are already on 8. November. At that time, they discovered a vulnerability in the remote maintenance Protocol of various OEM devices, and published this in the vulnerability database, Exploit-DB. Already in this description, the open network port is 7547 gateway for the hackers. Apparently, it took until the end of November, to the unknown hackers had automated the Exploit-DB described the attack and the masses.
In an analysis on the page badcyber.com that was recommended by the CERT Team of BSI on Monday via Twitter, explain security researchers: The unknown hackers appear to be using a new attack extended Version of the malicious software “Mirai”, to take control of the devices and malicious software on this install. “Apparently it’s about a new botnet to build up this attack, however, works only with a specific Router type, even if more devices were disrupted,” said a BSI spokesman for the “world”.
Since Monday at noon, several Anti-Virus companies are set to become the new Mirai-variant attention, you published the signature in their joint database Virustotal. Mirai is a malicious software, which is now available as a kit on the net available for free – it is designed to take on devices in the Internet of things, and to bring them to a so-called botnet. This botnet then waits for commands from the Hacker and can be used for Blockade, attacks on infrastructure in the network. An attack of Mirai-botnet on the infrastructure provider, Dyn had already triggered the end of October, the world network problems. Apparently hackers are currently working on a new botnet.
Affected customers, the Telecom recommended that the restart of the router, but it helped many customers to only briefly or not at all. This, as well as the BSI published analysis suggest that the attack continues and the Router will restart after a short time again to the victim of the Hacker. On Monday afternoon, finally, the Telekom has released several Software Updates for the Speedport devices. Whether this work, however, even if the Mirai Software has already taken control over the Router, was not up to the editorial deadline is clear.