The Mirai botnet has spread like wildfire and now infects 2,398 home routers across the UK, with 99 percent of them being TalkTalk routers.
According to research by cyber security firm Imperva, the Mirai botnet was used to launch distributed denial of service (DDoS) attacks, and has been responsible for taking down major services such as Amazon, Twitter, GitHub, Spotify and Reddit, as well as knocking out broadband services from Talk Talk and The Post Office offline.
The botnet was also used to launch a DDoS attack against Deutsche Telekom routers which saw the over 900,000 of its customers affected, however it is not known if this attack was caused by the same Mirai bot nets as the other ones.
With the source code released the Mirai malware has evolved from its original guise, which makes it harder for security and technology companies to patch and protect against.
Routers infected with Mirai enable hackers to exploit the TR-064 protocol widely used by many internet service providers (ISPs) to remotely manage network routers. By modifying the command, a hacker can use the router to remotely execute bash commands and use commands to synchronise a router with an external time source.
With this level of control, hackers can open port 80 access on routers, pinch Wi-Fi passwords, modify the iptable rules and inject malware into the device.
This vulnerability in the TR-064 was effectively the enabler of the Mirai attacks that cropped up in ISP distributed routers.
The amount of routers across the UK that have the Mirai infections was a surprise for Imperva, which noted that IP distribution of botnets as uncommon, but the data indicates a vulnerability in locally distributed devices, which has led to the rise of a Mirai botnet in Britain.
This indicated that the Post Office and Talk Talk attack were likely carried out in the UK rather than further afield.
“With variants of Mirai already leveraging the exploit for large-scale attacks, it’s time for ISPs to proactively assume responsibility and issue emergency patches,” said Imperva.
“Doing so would protect the privacy of their customers and prevent their routers from falling into the hands of botnet operators who would endanger the entire internet ecosystem.”
In a statment sent to Silicon UK, Talk Talk said it is looking into the attacks on its routers and the impact or Mirai.
“Along with other ISPs in the UK and abroad, we continue to take steps to review the potential impacts of the Mirai worm. A small number of customer routers were affected by this issue. We have made good progress repairing these and continue to deploy additional network-level controls to further protect our customers,” a spokesperson from the company said.
With the rise of smart and Internet-connected devices botnets are cropping up in all manner of devices, including a giant CCTV camera botnet.
Are you a security pro? Try our quiz!
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…
Elon Musk firm touts cheaper EV models, as profits slump over 50 percent in the…
Bad news for Tim Cook, as Counterpoint records 19 percent fall in iPhone sales in…
TikTok pledges to challenge 'unconstitutional' US ban in the courts, after President Joe Biden signs…
View Comments
Some points of clarification:
"Routers infected with Mirai enable hackers to exploit the TR-064 protocol widely used by many internet service providers (ISPs) to remotely manage network routers. "
TR-064 is not used for remote management, nor is it widely deployed. TR-064 is an older LAN-side protocol used for initial basic provisioning using a LAN-side application (as would come on a router installation disc).
"This vulnerability in the TR-064 was effectively the enabler of the Mirai attacks that cropped up in ISP distributed routers."
This was not a vulnerability in TR-064. It was a vulnerability in these vendors' implementations of TR-64, which allowed the attackers to run code that downloaded Mirai. Secondly, it was exploitable remotely only because they were piggy-backing TR-064 on another port used by a totally different protocol that is exposed to the WAN, which TR-064 never should have been.