Scores of hacked TalkTalk routers now part of Mirai-based botnet, security researchers say

The proliferate Mirai botnet's malicious activities continue, highlighting the significance of vulnerable and insecure devices in the creation of botnets. Security researchers have uncovered a whole host of compromised home routers, hijacked and enslaved as part of a new Mirai variant botnet. According to Imperva researchers, "over 99% of the hijacked routers belonged to TalkTalk".

The yet-to-be-named botnet attack shed light on a new TR-064 vulnerability, which was being used by the Mirai malware variant. Researchers believe that the attack and the TR-064 vulnerability pose a serious "threat to customers of ISPs around the world".

Imperva researchers discovered that one of their clients, a UK-based bitcoin company, "was hit with a slew of GET and POST flood attacks", on 5 December.

"The offenders' persistence, as well as its choice of targets, shows this to be a premeditated offensive — not the typical random burst launched from a rented DDoS-for-hire service," the researchers said.

The researchers also found that all of 2,398 attacking botnet devices were located within the UK.

"This kind of IP distribution is uncommon for DDoS botnets. Typically it indicates a vulnerability in a device supplied by local retailers, which allows for such a regional botnet to appear," researchers noted. "In this case, a quick scan revealed a horde of malware-infected home routers, over 99% of which belonged to the TalkTalk Telecom network. So we had our device and our distributor."

How it happened

TR-064 is a widely used protocol that most ISPs adopt when remotely operating routers. The communication for TR-064 occurs on port 7547, which receives remote commands. The researchers explained: "One such command is Time/SetNTPServers, used to synchronise a router with an external time source. However, this same command can also be modified to let hackers remotely execute bash commands."

In this incident, Imperva researchers had nearly ruled out TR-064 as none of their random scans found any devices with open 7547 ports. However, when checking the addresses using Shodan, researchers uncovered that the ports were left open until just a "few days ago".

The researchers said: "The assault was executed by DDoS bots running on BusyBox, using 'Anus' as their user-agent of choice. We're unsure why the attackers chose this specific moniker, but some stones are better left unturned."

The same Mirai variant that enslaved the TalkTalk routers may also have been behind the massive DDoS attack against Deutsche Telekom.

TalkTalk router passwords should be changed

In the wake of the attacks against TalkTalk, security experts have cautioned customers to change their router passwords. According to a BBC report, TalkTalk is still maintaining that there is "no need" for users to change their router settings. A spokesperson of the firm said they could change their router passwords "if they wish", adding that she believed there was "no risk to their personal information".

However, security experts have criticised TalkTalk for not pressing users to change their passwords and adopt additional security measures. "It does a disservice to the complicated debate around security and privacy to give out advice of this fashion," said Don Smith, technology director at Dell SecureWorks.

Pen Test Partners' Ken Munro said: "TalkTalk appear to be flying fast and loose with customer data security, yet again."

According to Imperva, TalkTalk is aware of the situation and has issued a fix for the vulnerability and closes the TR-064 interface, resetting routers.

Imperva researchers advised: "With variants of Mirai already leveraging the exploit for large-scale attacks, it's time for ISPs to proactively assume responsibility and issue emergency patches. Doing so will not only protect the privacy of their customers but also prevent their routers from falling into the hands of botnet operators, who would use them to endanger the internet ecosystem."