Cyber attack kcnocks nearly a million routers offline

Mirai Botnet is getting stronger and more notorious each day that passes by. The
reason:

Insecure

Internet-of-things

Devices.

Last month, the Mirai botnet knocked the entire Internet offline for a few hours,
crippling

some

of

the

world's

biggest

and

most

popular

websites.

Now, more than 900,000 broadband routers belonging to Deutsche Telekom users
in Germany knocked offline over the weekend following a supposed cyber-attack,
affecting the telephony, television, and internet service in the country.
The German Internet Service Provider, Deutsche Telekom, which offers various
services to around 20 Million customers, confirmed on Facebook that as many as
900,000

customers

suffered

internet

outages

on

Sunday

and

Monday.

Millions of routers are said to have vulnerable to a critical Remote code Execution
flaw in routers made by Zyxel and Speedport, wherein Internet port 7547 open to
receive commands based on the TR-069 and related TR-064 protocols, which are
meant to use by ISPs to manage your devices remotely.
The same vulnerability affects Eir D1000 wireless routers (rebranded Zyxel
Modem) deployed by Irish internet service provider Eircom, while there are no
signs

that

these

routers

are

actively

exploited.

According to Shodan search, around 41 Million devices leave port 7547 open,
while

about

Million

expose

TR-064

services

to

the

outside

world.

According to an advisory published by the SANS Internet Storm Center, honeypot

servers posing as vulnerable routers are receiving exploit code every 5-10 minutes
for

each

target

IP.

An intercepted packet showed how a remote code execution flaw in the

<NewNTPServer> part of a SOAP request was used to download and execute a
file

in

order

to

infect

the

vulnerable

device.

Security researchers at BadCyber also analyzed one of the malicious payloads that
were delivered during the attacks and discovered that the attack originated from a
known

Mirai's

command-and-control

server.

"The unusual application of TR-064 commands to execute code on routers has

been described for the very first time at the beginning of November, and a few days
later a relevant Metasploit module had appeared," BadCyber wrote in a blog post.
"It looks like someone decided to weaponize it and create an Internet worm based
on Mirai code."
It all started early October when a cyber criminal publicly released the source code
of Mirai, a piece of nasty IoT malware designed to scan for insecure IoT devices
mostly routers, cameras, and DVRs and enslaves them into a botnet network,
which

is

then

used

to

launch

DDoS

attacks.

The hacker created three separate exploit files in order to infect three different
architectures: two running different types of MIPS chips and one with ARM silicon.
The malicious payloads open the remote administration interface and then attempt
to log in using three different default passwords. After this is done, the exploit then
closes port 7547 in order to prevent other attackers from taking control of the
infected

devices.

"Logins and passwords are obfuscated (or "encrypted") in the worm code using the
same algorithm as does Mirai," the researchers say. "The C&C server resides
under timeserver.host domain name, which can be found on the Mirai tracker list."

More in-depth technical details about the vulnerability can be found on ISC
Sans, Kaspersky Lab, and Reverse Engineering Blog.
Deutsche Telekom has issued an emergency patch for two models of its Speedport
broadband routers Speedport W 921V, Speedport W 723V Type B and
currently

rolling

out firmware

updates.

The company recommends its customers to power down their routers, wait for 30
seconds and then restart their routers in an attempt to fetch the new firmware
during

the

bootup

process.

If the router fails to connect to the company's network, users are advised to
disconnect

their

device

from

the

network

permanently.

To compensate the downtime, the ISP is also offering free Internet access through
mobile devices to the affected customers until the technical problem is resolved.

 Alarming rise in ransomware tracked

There are now more than 120 separate families of ransomware, said experts
studying the malicious software.
Other researchers have seen a 3,500% increase in the criminal use of net
infrastructure that helps run ransomware campaigns.
The rise is driven by the money thieves make with ransomware and the increase in
kits that help them snare victims.
Ransomware is malicious software that scrambles the data on a victim's PC and
then asks for payment before restoring the data to its original state. The costs of
unlocking data vary, with individuals typically paying a few hundred pounds and
businesses a few thousand.
Rapid growth
"Ransomware and crypto malware are rising at an alarming rate and show no signs
of stopping," said Raj Samani, European technology head for Intel Security.
Ransomware samples seen by his company had risen by more than a quarter in
the first three months of 2016, he added.
Mr Samani blamed the rise on the appearance of freely available source code for
ransomware and the debut of online services that let amateurs cash in.
Ransomware was easy to use, low risk and offered a high reward, said Bart Parys,
a security researcher who helps to maintain a list of the growing numbers of
types of this kind of malware.
"The return on investment is very high," he said.
Mr Parys and his colleagues have now logged 124 separate variants of
ransomware. Some virulent strains, such as Locky and Cryptolocker, were

controlled by individual gangs, he said, but others were being used by people
buying the service from an underground market.
"It's safe to say that certain groups are behind several ransomware programs, but
not all," he said. "Especially now with Eda and HiddenTear copy and paste
ransomware, there are many new, and often unexperienced, cybercriminals."
A separate indicator of the growth of ransomware came from the amount of net
infrastructure that gangs behind the malware had been seen using.
The numbers of web domains used to host the information and payment systems
had grown 35-fold, said Infoblox in its annual report which monitors these chunks
of the net's infrastructure.
"They use it and customise it for each attack, " said Rod Rasmussen, vicepresident of security at Infoblox.
"They will have their own command and control infrastructure and they might use it
to generate domains for a campaign," he told the BBC. "Then they'll have some
kind of payment area that victims can go to."
"The different parts are tied to particular parts of the chain," he said. "Infection,
exploitation and ransom."
Hidden files
The spread of ransomware was also being aided by tricks cyber-thieves used to
avoid being detected by security software, said Tomer Weingarten, founder of
security company SentinelOne.
"Traditional anti-virus software is not effective in dealing with these types of
attacks," he said.

The gangs behind the most prevalent ransomware campaigns had got very good at
hiding their malicious code, said Mr Weingarten.
"Where we see the innovation is in the infection vector," he said.
SentinelOne had seen gangs using both well-known techniques and novel
technical tricks to catch out victims.
A lot of ransomware reached victims via spear-phishing campaigns or boobytrapped adverts, he said, but other gangs used specialised "crypters" and
"packers" that made files look benign.
Others relied on inserting malware into working memory so it never reached the
parts of a computer on which most security software keeps an eye.
"It's been pretty insane with ransomware recently," he said.

 Google warns users of recen state-sponsored

attacks
Over the last few days, Google has delivered a batch of warnings about potential
government-backed attacks against numerous journalists, academics and activists.
Many of the recipients have announced their personal warnings on Twitter. There
are some differences in the wording of some of the warnings, but Google has
confirmed that the Twitter postings appear to be authentic.
Google has been issuing such warnings since 2012. At first they were simple text
alerts across the top of the recipients' Gmail page. In March of this year it started to
use the larger more noticeable banners that are now appearing. The warnings do
not indicate that an account has actually been compromised; only that Google
researchers have seen indications of an attempt against the account.
The warnings are also not timely. The attack indicators were likely noticed up to a
month earlier. Google does not issue immediate warnings for fear that this will
allow attackers to determine the method of discovery. This time lapse has led to
certain assumptions that the attackers are likely to be the Russian actors, possibly
APT28 or APT29, that were linked to attacks against the Democrats, supposedly to
influence the election. (Last month, Russian hackers were also linked with
targeting journalists investigating the MH17 crash.)
This, however, has to be conjecture. Google does not publicly provide any
evidence on the identity of the attackers -- and at least one target is a Hong-Kongbased Chinese activist (Joshua Wong Chi-fung).

"Google has been secretive about the algorithms and criteria it uses to determine
that a potential attack is state-sponsored," explains ESET senior research fellow
David Harley; adding that such secrecy about proprietary algorithms is not unusual
in the security industry. "The relationship with the APT29 targeted malware is
speculative, but I can't say there isn't a connection. If an attack is based on code
that is associated with known state-sponsored attacks, that could be another
indicator, if you have that sort of information. Google isn't exactly known for a spirit
of friendly cooperation with the security industry at large, but it certainly has
security resources."
There is, however, an element of hysteria about this current batch of warnings; as if
users need to take different precautions against nation attacks than they do against
everyday criminal attacks. Activists are more likely to be attacked for political
reasons, and in some cases the consequences could be more dire -- but the
defenses remain the same as those everybody should be using as a matter of
course.
"Journalists and professors already know what they should do - and if they don't,
they can easily look it up. If they don't already follow best practices it's because
they suffer from the fallacy that they aren't important enough to target," comments
F-Secure's Sean Sullivan. It is certainly true that users receiving Google warnings
should take immediate steps to confirm the integrity of their account: Google
doesn't say the attack was successful, but nor does it say it failed.
Caleb Chen, who works with Private Internet Access, points out that statesponsored attacks may be more prevalent than is commonly thought. Google says
only that it is likely to happen to less than 0.1% of its users. If there are a billion
Gmail users, he suggests, those figures mean that up to a million may have seen
state-sponsored probing. "As cyber-attacks continue to proliferate, often times
across borders, expect reports of this type of probing to rise in the future."
There is also an irony about warnings being attributed to foreign governments
coming at the same time as the US and particularly the UK governments are

increasing their own surveillance capabilities. Luis Corrons, technical director at

PandaLabs insists there is a difference. "One thing is knowing that governments
are harvesting loads of information from everyone, and another thing is an attack
targeted at you, so they can compromise your computer and access (steal) all your
information, sources, etc."
Nevertheless, Chen reports a 30% spike in VPN sales from the UK in the week in
which the IP Bill completed its course through parliament. While standard computer
defenses are required to protect accounts, VPNs are now also required to protect
communications -- especially those of activists of any persuasion.
Account defenses obviously include strong passwords, 2FA where possible,
reputable anti-virus, and an awareness of spear-phishing techniques; but Corrons
offers one other piece of advice for journalists and activists: "Ideally have all your
sensitive information in a different computer to the one you use for your emails,
Internet, etc. Even better if this one is not connected to the Internet."

 Donal Trumps Smartphone is a risk to us national

security, warns experts
Security experts in the US are concerned that Donald Trump's smartphone could
be easy prey for hackers, who could exploit the president-elect's use of social
media to take control of his device. Trump's apparent refusal to swap his Android
phone for a more secure handset could pose a significant security risk to the US
given the number of security vulnerabilities on Google's mobile platform.
Trump's knowledge of technology has been brought into question on several
occasions during his rise to presidency. Famed for his ongoing reference to
cybercrime as "the cyber" and his plan to fight terrorism by "closing" parts of the
internet, the president-elect's knowledge of modern tech has so far appeared
worryingly sparse.

This being the case, Trump could prove a relatively easy target for cybercriminals.
Taking control of his phone could be as easy as sending him an infected link via
social media and tricking him into clicking on it, security experts told The
Telegraph. From there, hackers could access Trump's emails, messages and other
media stored on his smartphone, as well as take control of his phone's camera and
microphone functions.
Whereas Barack Obama swapped his own phone for a toughened device provided
by the National Security Agency (NSA) earlier this year, it is reported that Trump is
reluctant to give up his personal phone and plans to continue using it after entering

the White House. Experts say Trump's use of the Android platform is particularly
concerning given the spate of malware attacks to have hit the platform in recent
years.
Martin Alderson, co-founder of mobile security firm Codified Security, said:
"President Obama was given a phone modified for his personal use, limited to
making phone calls I think this will be the same for the president-elect, with his
tweeting done through a dedicated aide.
"Trump is going to find there's no way he gets to continue using a phone in the
same fashion as any other American citizen. The number of critical vulnerabilities
on his choice platform Android, such as Stagefright, TowelRoot, and Quadrooter,
show that Android is high risk for someone in his position."
The NSA might have a tough time ahead of it stripping Trump of his Twitter
privileges, but the president-elect will have to fall in line if he wants to avoid
becoming a victim of the dreaded cyber.