Cyber ​​attack on DSL router on November 27, 2016

from Wikipedia, the free encyclopedia

A cyber attack on DSL routers on November 27, 2016 led to the failure of around one million DSL routers in Germany , mainly Deutsche Telekom devices . This made it the largest attack of its kind in Germany. In the UK , around 100,000 Internet service providers Post Office, Kcom and TalkTalk customers were affected.

The aim of the attack was to establish a connection using the remote maintenance protocol ( TR-069 ) and to smuggle in malware using a command of the TR-064 protocol not provided for in the TR-069 specification in order to integrate the end devices into a botnet . The attack was based on a vulnerability discovered in routers from various manufacturers in early November 2016. However, the devices affected by the failure could not be compromised as intended, but failed due to an error in the processing of several consecutive data packets.

According to the British telecommunications company Kcom and the specialist service Securelist, the malware Mirai was used for the attack , the source code of which was published at the beginning of October 2016 and had already been used for various attacks.

course

Beginning of November 2016 it was announced that a router of the Irish telecommunications company Eircom means of remote maintenance protocol TR-069 command execution of the related TR-064 protocol over the TCP - Port allows the 7547th The software and hardware of the router concerned come from the Taiwanese manufacturer Zyxel . Using the TR-064 commands, which are not included in the TR-069 implementation, attackers can use an exploit to gain access to the device and bring it under their control. A corresponding proof of concept was published on November 8, 2016 . On November 15, this vulnerability was confirmed by IT security researcher Darren Martyn, who published an exploit on November 22. Martyn was also able to identify other devices susceptible to the vulnerability, including devices made by Aztech, D-Link , Digicom and T-Com / T-Home. As of November 28, he found 48 devices that are vulnerable to the vulnerability.

On November 26th, the SANS Internet Storm Center recorded a surge in attacks on the port 7547 of IP devices in Germany, which is provided for in the standard for TR-069 . With the help of honeypots , it was possible to determine that the attackers are attempting to use a specific TR-064 command to load malware onto the devices and execute it, which is comparable to the publications from early November.

In the course of these attacks, the first malfunction reports came from Deutsche Telekom customers in Germany on the afternoon of November 27, 2016. The malfunctions did not relate to specific regions, but occurred nationwide; however, only with certain DSL router types. The attack reached its climax on the evening of the same day with at times 900,000 disrupted Internet connections in Germany. This mainly affected customers who were using DSL routers of the Speedport models W 921V, W 921V Fiber, W 723V Type B, W 503V Type C, W 504V and Entry I from the Taiwanese manufacturer Arcadyan . Customers of other network providers were not affected.

As it turned out, a wave of attempted attacks using the TR-069 communication protocol was registered around the world in order to compromise the devices using TR-064 commands . As the Federal Office for Security in Information Technology (BSI) reported that the attackers tried to load malicious software on the devices and this one IoT - botnet classified to attack on infected devices further. It was the largest attack of its kind in Germany. Internet access, television via IP and Internet telephony were affected .

In the case of the Telekom end devices, the attacker's request to establish a connection via port 7547 of the TR-069 protocol was accepted and opened. However, the devices were immune to the second step of the attack, which was carried out using a manipulated TR-064 command to compromise the devices, as the attack required a Linux-based operating system, which is not installed on the Telekom routers. Due to the flood of TR-069 inquiries, the devices opened a myriad of connections and did not terminate them as intended, which caused them to crash and probably due to a bug in the router software. The vulnerability to the crashes was eliminated on the morning of November 28, 2016 by updating the device firmware, which significantly reduced the number of affected connections. By November 29, Deutsche Telekom published further updates for the six Arcadyan devices affected by the failure.

Linus Neumann from Netzpolitik.org assumes that the total failures were not “the attacker's intention”. Hanno Böck from Golem.de also speaks of " collateral damage " when the telecommunications equipment fails . Darren Martyn, who published a list of affected manufacturers and devices on December 5, also comes to the conclusion in his analysis that the effects of the attack could have been worse if the attackers had been more clever. In an official statement, Telekom stated that the "attack method [...] is based on a publication on the Internet in early November 2016".

On December 2, 2016, it became known that from November 26th the devices of British Internet providers were also affected by interference with the same effect as the telecom routers. Around 100,000 post office and 10,000 Kcom customers who use Zyxel devices were affected . TalkTalk speaks of a "low percentage" of those affected with D-Link devices . As with Telekom, the malfunctions were resolved by updating the router firmware, with the exception of around 1,000 Kcom customers, for whom the automatic update fails and requires further support.

On December 3rd, Andrew Tierney of the IT security company Pen Test Partners published the results of an analysis of the attack on affected TalkTalk devices. Accordingly, an attempt was apparently made to steal the router's WiFi network data ( SSID ) and passwords. As a measure, TalkTalk deactivated the TR-064 interface and reset the devices to the delivery status. Nevertheless, according to media reports, stolen data from the WLANs appeared on the Internet. BBC News received 100 of 57,000 router records from an unknown person that could have been from this attack.

The device manufacturer Zyxel, on whose router the vulnerability was discovered, commented on the events on December 2, 2016. In a statement, Zyxel confirmed the attack method documented at the beginning of November 2016. Accordingly, it is possible to send a TR-064 command via the side of port 7547 that is open to the Internet, which is only intended for the local network. In this way it is possible to gain access to the device and to change settings. Two chipsets with specific SDK versions from the chip supplier Econet were identified as the cause . For devices that are still within the warranty and support period, Zyxel offers appropriate updates that close the security gap.

Reactions

The attacks were also registered in the government network protected by the Federal Office for Information Security (BSI), but had no consequences due to protective measures. The National Cyber Defense Center coordinated after the announcement, led by the BSI IT actions of federal authorities.

The federal government said the disruption did not affect the work of the federal government; but show the importance of cybersecurity.

Telekom compensated affected customers who also had a mobile phone contract with a free day pass for mobile Internet access.

Due to the total failure, the Federal Minister of the Interior Thomas de Maizière presented plans to set up a "rapid reaction force" that would be available around the clock and be able to investigate the attacked infrastructure on site in the event of severe attacks. The plans can be found in the new version of the cyber security strategy , which should be approved by the cabinet in autumn 2016. There should be reaction troops in the Federal Office for the Protection of the Constitution (BfV) and the Federal Criminal Police Office (BKA). With the group in the Federal Office for Information Security, there would then initially be three reaction troops.

Telekom boss Timotheus Höttges called at a conference for upgrading, which he means to create a "cyber-NATO".

Investigations

Telekom spokespersons said that the router failures may have been an intervention from outside - and not a “normal”, but also “annoying” system failure. Analyzes by IT security and forensic experts at Telekom pointed to a hacker attack.

The Securelist specialist service analyzed the logs and pointed out that structures that indicated the use of a Mirai application could be identified during the attack .

The prosecution Cologne, Centralized and point of contact Cybercrime (ZAC) of the state of North Rhine-Westphalia , has on 29 November 2016 on its own initiative "under Section 303 a and b of the Criminal Code a case against unknown prosecuted for computer sabotage and data alteration mainly when routing of Deutsche Telekom ". The BKA is charged with the investigation.

Almost three months after the massive attacks on Telekom's infrastructure, a British man was arrested in London on February 22, 2017. National Crime Agency forces arrested the 29-year-old man at a London airport. He was accused of computer sabotage in a particularly serious case, said the Federal Criminal Police Office . This was preceded by investigations by the British, Cypriot and German authorities supported by Europol . The public prosecutor's office in Cologne applied for the suspect to be extradited . At the start of the trial before the Cologne Regional Court on July 21, 2017, the 29-year-old Brit pleaded guilty. He acted according to his statements on behalf of a Liberian telecommunications company, for which he received 10,000 US dollars and cited money worries as a motive. On July 28, he was sentenced to one year and eight months suspended . The convict was extradited to the UK in early September 2017, where he is alleged to have carried out attacks on the Lloyds Banking Group's infrastructure and against Barclays and subsequently tried to blackmail the financial services providers .

literature

  • Jörg Diehl, Marcel Rosenbach: Attacks for rent. Why more than a million telecom routers failed a year ago . In: Der Spiegel . No. 49 , 2017, p. 76-77 ( online ).

Individual evidence

  1. a b Telekom: Internet failure in 900,000 households. In: The world. Retrieved December 1, 2016 .
  2. a b Talk Talk and Post Office routers knocked offline in cyber attack. In: The Telegraph. December 1, 2016, accessed December 1, 2016 .
  3. a b 100,000 customers in Great Britain affected by disruptions. In: Golem.de. December 2, 2016, accessed December 1, 2016 .
  4. a b c d Hanno Böck: Telekom router failures were only collateral damage. In: Golem.de. November 29, 2016, accessed December 3, 2016 .
  5. a b Eir’s D1000 Modem Is Wide Open To Being Hacked. In: Reverse Engineering Blog. November 7, 2016, accessed December 1, 2016 .
  6. a b Bobby 'Tables: Twitter. November 23, 2016, accessed on December 3, 2016 : “Vendors who ship devices vulnerable to TR-06FAIL: ZyXEL, D-Link, T-Com / T-Home, Digicom, Aztech (so far). Yes, the bug gets a name now;) "
  7. a b Protocol of the mega attack on Deutsche Telekom. In: Wirtschaftswoche. December 2, 2016, accessed December 3, 2016 .
  8. ^ A b New wave of Mirai attacking home routers - Securelist. In: securelist.com. November 28, 2016. Retrieved November 28, 2016 .
  9. Sh… IoT just got real: Mirai botnet attacks targeting multiple ISPs. In: The Register. December 12, 2016, accessed December 3, 2016 .
  10. Kenzo: Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit). In: www.exploit-db.com. Retrieved December 1, 2016 .
  11. Bobby 'Tables: Twitter. November 15, 2016, accessed on December 3, 2016 : “Well shit. In this screenshot, we have exploitation over LAN. It also works over WAN, but not wanting to disclose my DDoS digits;) "
  12. ^ Darren Martyn: TR-064 Implementation Failures. In: LinkedIn. November 22, 2016, accessed December 3, 2016 .
  13. Bobby 'Tables: Twitter. November 28, 2016, accessed on December 3, 2016 : “Currently listing 48 devices vulnerable to the main TR-064 / TR-069 issue. Scans will reveal more. Not scanning for the cmd inject though. "
  14. TCP / UDP Port Activity - SANS Internet Storm Center. In: SANS Internet Storm Center. Retrieved December 1, 2016 .
  15. TR-069 NewNTPServer Exploits: What we know so far - SANS Internet Storm Center. In: SANS Internet Storm Center. November 29, 2016, accessed December 1, 2016 .
  16. Telekom Hilft, update from November 28, 2016, 6:30 p.m.
  17. a b Telecom failures due to hacking attacks. In: n-tv.de. November 28, 2016. Retrieved November 28, 2016 .
  18. What happened, who is behind it, what customers can do. In: Tagesspiegel. November 28, 2016. Retrieved November 28, 2016 .
  19. Note on hacker attack: massive problems in the Telekom network. (No longer available online.) In: tagesschau.de. November 28, 2016, archived from the original on November 29, 2016 ; accessed on November 28, 2016 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.tagesschau.de
  20. a b Network failure: indications of a hacker attack are increasing. In: The time. November 28, 2016, accessed December 1, 2016 .
  21. a b Telecommunications disruption: BSI suspects global hacker attack. In: Spiegel Online. November 28, 2016, accessed December 1, 2016 .
  22. German Internet Outage Was Failed Botnet Attempt: Report. In: The New York Times. November 28, 2016. Retrieved November 28, 2016 .
  23. Were 900K Deutsche Telekom routers compromised by Mirai? In: comsecuris. November 29, 2016, accessed November 30, 2016 .
  24. Jan-Frederik Timm: Telekom DSL fault: Speedport W 723V Type B & 921V receive updates. In: ComputerBase. November 28, 2016, accessed December 3, 2016 .
  25. a b Frank-Thomas Wenzel: Telekom: BSI suspects hacker attack. In: Frankfurter Rundschau. November 27, 2016, accessed December 3, 2016 .
  26. Telekom DSL fault: Speedport W 723V type B & 921V receive updates (article updates). In: ComputerBase. November 29, 2016, accessed December 4, 2016 .
  27. Linus Neumann: TR-069, Telekom, and what really happened. In: netzpolitik.org. November 30, 2016, accessed November 30, 2016 .
  28. Darren Martyn: TR-064: When Shoddy Implementations Come Back to Haunt You. In: LinkedIn. December 5, 2016, accessed December 11, 2016 .
  29. Myth of the open interface: What really happened. Deutsche Telekom, November 30, 2016, accessed December 3, 2016 .
  30. Cyberattack to Zyxel AMG 1302-T10B routers. Kcom, December 5, 2016, accessed December 22, 2016 .
  31. D-link 3780 Router Connectivity Fix. TalkTalk, December 1, 2016, accessed December 22, 2016 .
  32. ^ Andrew Tierney: TalkTalk and other ISPs need to replace customer routers urgently. In: Pen Test Partners. December 3, 2016, accessed December 11, 2016 .
  33. Leo Kelion: TalkTalk wi-fi router passwords 'stolen'. In: BBC News. December 5, 2016, accessed December 11, 2016 .
  34. Leo Kelion: TalkTalk's wi-fi hack advice is 'astonishing'. In: BBC News. December 7, 2016, accessed December 11, 2016 .
  35. Zyxel statement for the TR-064 protocol implementation in CPEs. Zyxel, December 2, 2016, accessed December 3, 2016 .
  36. Cybersecurity: Federal government is planning rapid reaction forces against hacker attacks. In: Spiegel Online. July 7, 2016, accessed November 30, 2016 .
  37. Torsten Kleinz: Telekom boss: Call to cyber weapons. In: Heise Online. Retrieved December 1, 2016 .
  38. BKA determined after Telekom hack. In: Wirtschaftswoche. November 29, 2016, accessed November 30, 2016 .
  39. Telekom got away with it again. In: Tagesspiegel. November 29, 2016, accessed November 30, 2016 .
  40. After the attack on Telekom: Suspected hacker caught. In: tagesschau.de. Retrieved February 23, 2017 .
  41. Telekom hacker testifies in court: Order came from Liberia. In: Zeit Online . July 21, 2017, archived from the original on July 23, 2017 ; accessed on July 28, 2017 .
  42. ^ Judgment in the telecommunications process: suspended sentence for 29-year-old hackers. In: Shz.de. July 28, 2017. Retrieved July 28, 2017 .
  43. Telecom hackers delivered to Great Britain. In: Golem.de. September 1, 2017, accessed November 2, 2017 .