Post Office and TalkTalk broadband customers have had their routers malfunction as a result of a cyber attack yesterday. The botnet responsible for the issues stems from the Mirai worm, the same malware that took down Deutsche Telekom routers earlier this week.
According to the BBC, 100,000 Post Office customers were affected, TalkTalk has not released any information on the number of customers affected other than that ‘A small number of customer routers have been affected’, the attack on Deutsche Telekom affected 900,000 customers.
Rather than the server attacks that lead to a data breach at TalkTalk in autumn 2015, the Mirai worm spreads from infected computer to other devices, damaging Linux based systems such as customer’s routers.
The affected router models included the D-Link DSL-3780 and the Zyxel AMG1302. Security experts had previously suggested the routers were vulnerable, and The Register had even contacted TalkTalk on 28 November, before the hack was publicised to ask them about the router’s vulnerabilities.
Experts are in part attributing the Mirai worm’s success to what Andy Green, senior technical specialist at Varonis describes as ‘default-it is’, where users fail to change the default password to the device. However, Green believes this is as prevalent in the office as in the home, stating ‘The lessons that should be learned from these ongoing Mirai attacks is just how vulnerable we were as a result of our own IT laziness. Sure, we can excuse harried consumers for treating their home routers and IoT gadgetry like toasters and other kitchen appliances – just plug it in and forget about it. So what excuse do professional IT types have for this rookie-level behaviour? Not much!
‘Unfortunately, default-itis still plagues large organisations. As recently as 2014, the Verizon DBIR specifically noted that for POS-based attacks, the hackers typically scanned for public ports and then guessed for weak passwords on the PoS server or device – either ones that were never changed or were created for convenience, “admin1234”. This is exactly the technique used in the Mirai botnet attack against the IoT cameras.’
Tweets directed at TalkTalk from customers suggest that the effects of the attack are still being felt, with customer’s routers still offline and the company’s router reboot advice not working.
Chief research intelligence analyst at NSFOCUS, Stephen Gates believes this is far from the last of this sort of attack that service providers will face, ‘The upsurge of commercial, industrial, and municipal IoT-based attacks and outages was part of my predictions for 2017. It appears the world will not wait for January 1, and the weaponisation of these technologies has arrived - ahead of schedule. No longer can service providers continue to operate their vulnerable networks in this fashion. Hackers apparently have them in their cross hairs, and the damage they can cause to their scantily secured infrastructures will continue to be a major pain in the backside for their customers; who are now likely looking for other options.’