Following the news that suspected hackers knocked German households offline over the weekend, IT security experts from Corero Network Security, NSFOCUS, Synopsys, Positive Technologies and SentinelOne commented below.
Stephanie Weagle, Senior Director at Corero Network Security:
“The cyber threat landscape has become extremely tumultuous and increasingly sophisticated. Attackers are taking advantage of security vulnerabilities in any and all Internet connected devices—including home routers. With the release of the Mirai code, and the variants that will follow attackers are testing and exploiting devices more than ever before. Telco companies specifically must be on the offense when it comes to ensuring that their infrastructure is not vulnerable to botnet infiltration attempts as well as educating their customers as to how to better protect themselves from these threats. Additionally, Internet service providers must engage real-time DDoS defence for protection against these massive botnets, protecting their own infrastructure, as well as their customers’ service availability.”
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
“In many broadband networks, customer premise equipment (home/business routers) calls home to company headquarters to validate paying customers, and to periodically get configuration and software updates. Take the systems offline that provider this service functionality to the routers, and the network can likely be impacted. Another possibility for the outage is that hackers uploaded malware to the update servers, and this malware was either pushed or pulled to thousands of routers. This is a perfect example of a denial of service outage that did not involve a targeted DDoS attack.
“Most people don’t know that all broadband service providers have ensured they have backdoors into ‘their’ customer-edge devices; which can be cable modems, DSL modems, routers, etc. The reason for this is simple. It ensures people don’t get services for free, while at the same time allowing the provider access into the remote devices for troubleshooting, updating, billing, etc. This helps reduce truck rolls and the associated costs. In this case, it appears that hackers have figured out a way to capitalise on the backdoor, and cause a noteworthy denial of service outage.”
Mike Ahmadi, Global Director – Critical Systems Security at Synopsys:
“While it is still unclear what caused this mass outage, it is important to note that massively scalable cybersecurity attacks, as evidenced by the recent Mirai Botnet attacks, are sure to be the new rage with the malicious hacker community. This is particularly alarming because our testing tools have been able to uncover literally thousands of scalable attacks on very commonly deployed networking equipment and IoT devices over the last several years. On more than one occasion we have discovered malformed inputs directed at the broadcast address of networks which caused the firmware of particular devices to erase, all at once. It seems that simply finding a vulnerability is no longer all that interests the malicious hacker world, but finding and exploiting high impact vulnerabilities is very interesting. Unless developers and users implement more rigor into discovering and mitigating software vulnerabilities, scalable attacks will continue to grow.”
Alex Mathews, EMEA Technical Manager at Positive Technologies:
“The attack of this kind isn’t something new: this year we had multiple reports about thousands of infected routers used for DDoS botnets. We would even suspect that this German story is about “a broken botnet”. After all, hackers are not very interested in broken routers, they prefer to take control over working routers, and use them for other attacks. Perhaps, someone tried to build a Mirai-like botnet out of these infected routers in Germany but something went wrong and routers just went off.
“Whether this attack could have been prevented depends on what type of vulnerability was used to infect the routers. For example, Mirai botnet code wasn’t too serious: the malware was looking for gadgets with well-known default passwords (admin: admin, root: password, and so on). If people had just changed these default passwords, their routers wouldn’t have been infected. On the other hand, the malware authors can use more serious, unknown vulnerability in routers’ firmware or in communication protocols. In this case, users hardly can do anything to protect themselves. Only serious security tests can detect such vulnerability. It should be done by service providers and by routers’ manufacturers… but unfortunately, they don’t do enough safety testing.”
Tony Rowan, Chief Security Consultant at SentinelOne:
This isn’t the first time we’ve seen a malware infection attempt against Internet routers. They are an attractive target because they are often unmonitored and, once breached, they provide two very good attack options. Firstly, they can be used to launch widespread botnet style attacks – DDoS for example. Secondly, the router determines the view of the Internet provided to the users and devices behind that router. This means that the attackers can modify the information received by the user. For example, they could manipulate DNS traffic so that you believe you are connecting to your bank but in fact you are being redirected to a spoof identical website for the purposes of stealing your credentials.
We can expect to see this attack vector explored more through the years. Most users do not maintain the software on their routers and therefore, even if patches are available, they are rarely installed. Until manufacturers have reliable automatic updates to their systems, the Internet router will remain a viable and lucrative target for the attackers.”