More than 900,000 routers belonging to Deutsche Telekom users in Germany were not able to connect to the Internet due to an alleged cyber-attack.
The affected routers were used by the Deutsche Telekom customers also for fixed telephony and TV services.
The problems lasted at least two days, the outage began on Sunday, November 27, at around 17:00, local time.
Deutsche Telekom users all over the country were not able to connect online using the users provided by the company.
Below a graphic representation of the outage provided by the Allestoerungen.de.
The outage lasted a couple of hours on Sunday, then the problems continued on Monday morning from 08:00.
The company notified via Facebook its 20 million customers to have solved the problems at around 12:00, local time, but users continued to face connectivity issues.
What has happened?
According to the company, hackers targeted the routers exploiting a security issue. Deutsche Telekom and router vendors are working together to develop a firmware fix and roll out the software patch.
Deutsche Telekom is currently rolling out firmware updates.
“The massive interference from connections of Deutsche Telekom, according to findings from the Federal Office for Security in Information Technology (BSI), follow a worldwide attack.” reads the abendblatt.de.
“According to BSI, the attacks were also noticeable in the government-protected government network, but could be repelled with effective protection measures. “
Deutsche Telekom customer case recommended that users unplug their devices, wait for 30 seconds and restart their router. In case this procedure is not able to restore the connectivity it is suggested to permanently disconnect the router from the Deutsche Telekom network.
“German Telekom is now offering a firmware update for the affected routers. Details (in German) are here: https://www.telekom.de/hilfe/geraete–zubehoer/router/speedport-w-921v/firmware-zum-speedport-w-921v. Affected user are advised to power off their router and power it on again after 30 seconds. During bootup the router should retrieve the new firmware from the Telekom servers.” reported the SANS Institute.
Deutsche Telekom is offering free mobile Internet until the technical problem is resolved.
Deutsche Telekom didn’t provide further technical details about the alleged cyber attack either the affected router models.
It is not clear which is the threat that compromised the Deutsche Telekom routers, experts speculated the involvement of a malware that could have prevented equipment from connecting to the company’s network.
Security experts from ISC Sans published an interesting report that revealed a significant increase in scans and exploitation attempts for a SOAP Remote Code Execution (RCE) vulnerability via port 7547 against Speedport routers.
This specific model of routers is widely used by Deutsche Telekom for German users.
“For the last couple days, attack against port 7547 have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This issue may already have caused severe issues for German ISP Deutsche Telekom and may affect others as well (given that the US is just “waking up” from a long weekend). For Deutsche Telekom, Speedport routers appeared to be the main issue.” added the ICS SANS.
“According to Shodan, about 41 Million devices have port 7547 open. The code appears to be derived from Mirai with the additional scan for the SOAP vulnerability. Currently, honeypots see about one request every 5-10 minutes for each target IP.”
According to the ICS SANS report, it seems that attackers tried to exploit a common vulnerability in the TR-069 configuration protocol. Experts highlighted the availability of a Metasploit module implementing the exploit for this vulnerability.
An unconfirmed List of vulnerable routers includes the Eir D1000 Wireless Router (rebranded Zyxel Modem used by Irish ISP Eir) and the Speedport Router (Deutsche Telekom).
According to BadCyber, the responsible is the Mirai botnet that was designed to exploit Eir D100 (Zyxel Modems) via port 7547.
“TR-064 protocol is based on HTTP and SOAP and its default port is TCP 7547. Commands are sent as POST requests to this port.” states the BadCyber.
!The malware itself is really friendly as it closes the vulnerability once the router is infected. It performs the following command:
busybox iptables -A INPUT -p tcp –destination-port 7547 -j DROP
busybox killall -9 telnetd
which should make the device “secure”, unless until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.”
(Security Affairs – Deutsche Telekom, IoT)