The BBC has just broken the news that TalkTalk and Post Office broadband customers have had their online access cut by an attack targeting certain types of internet routers. A spokeswoman for the Post Office told the BBC that the problem began on Sunday and had affected about 100,000 of its customers. Talk Talk also confirmed that some of its customers had been affected, and it was working on a fix. It is not yet known who is responsible for the attack. IT security experts from Positive Technologies, NSFOCUS, Varonis, Lieberman Software and ESET commented below.
Alex Mathews, EMEA Technical Manager at Positive Technologies:
“The emerging trend to hack and abuse routers and other everyday devices has caused a raft of Internet blackouts recently. The issue lies with the sheer scale of the problem, as countless customers often have the same vulnerable equipment, making it easy to build an army of infected devices. Combine this with the fact that the malware required is now freely available online, and cybercriminals have an easy way to collect hordes of zombie devices for a variety of nefarious means.
“It’s hard to say without specifics of the attack, but preventability depends on the type of vulnerability used. If it is similar to Mirai, abusing default router passwords, it is a relatively straightforward fix. However, if this was caused by an unknown vulnerability in the router firmware or communication protocols, then it is a far more complex issue. Testing should be done by device manufacturers before they are released onto the market.”
Positive Technologies also released a piece of research today into how people view companies that have been hacked. You can read more about it here: https://www.ptsecurity.com/ww-en/wwa/news/119863/
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
“The upsurge of commercial, industrial, and municipal IoT-based attacks and outages was part of my predictions for 2017. It appears the world will not wait for January 1, and the weaponization of these technologies has arrived – ahead of schedule. No longer can service providers continue to operate their vulnerable networks in this fashion. Hackers apparently have them in their crosshairs, and the damage they can cause to their scantily secured infrastructures will continue to be a major pain in the backside for their customers; who are now likely looking for other options.”
Andy Green, Senior Technical Specialist at Varonis:
“The lessons that should be learned from these ongoing Mirai attacks is just how vulnerable we were as a result of our own IT laziness. Sure, we can excuse harried consumers for treating their home routers and IoT gadgetry like toasters and other kitchen appliances – just plug it in and forget about it. So what excuse do professional IT types have for this rookie-level behaviour?
Unfortunately, default-itis still plagues large organisations. As recently as 2014, the Verizon DBIR specifically noted that for POS-based attacks, the hackers typically scanned for public ports and then guessed for weak passwords on the PoS server or device – either ones that were never changed or were created for convenience, “admin1234”. This is exactly the technique used in the Mirai botnet attack against the IoT cameras.
Even if hackers use other methods to get inside a corporate network — phishing, most likely — they can still take advantage of internal enterprise software in which defaults accounts were never changed.
For those organisations who think that the Mirai botnet incident has nothing to with them, or have to convince their board of this, here are two points to consider.
- The lesson of the Mirai botnet attack is that the perimeter will always have leaks. For argument’s sake, even if you overlook phishing scenarios, there will continue to be vulnerabilities and holes in routers, network devices, and other core infrastructure that allow hackers to get inside.
- Human nature tells us that IT will also continue to experience default-itis. Enterprise software is complicated. IT is often under pressure to quickly get apps and systems to work. As a result, default accounts and weak passwords that were set for reasons of convenience — thinking that users will change the passwords later — will always be an issue for organisations.
You have to plan for attackers breaching the first line of defences, and therefore have in place security controls to monitor and detect intruders.
In a way, we should be thankful for the “script kiddies” who launched the Mirai botnet DDoS attack: it’s a great lesson for showing that companies should be looking inward, not at the perimeter, in planning their data security and risk mitigation programs.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“When the modified Mirai attack hit Deutsche Telekom over the weekend, many guessed that the fact that it simply shut down the devices it hit was a mistake by the bad guys trying to steal data. Now that Talk Talk and Post Office routers are falling victim to the same type of attack shutting them down, it begs the question if the shutdown is the goal. Most cybercrime is about money. But every now and then there are bad guys who just want to watch the world burn. Another possible motive that only time can reveal would be using these Mirai attacks as a distraction as there is some other attack grabbing something valuable. Using a DDoS style shut down to focus attention in one place while your pocket is picked from another is a tactic bad guys have used for a long time. It could be that these new Mirai shut down attacks are a new way to achieve the same distract and steal combination.”
Mark James, IT Security Specialist at ESET:
“Router attacks or compromises could form considerable risk. For the consumer, the single point of failure that has all their internet data travelling through is their router. Regardless of the connection internally, if the router is hijacked then in most cases the ability to filter traffic through to any website they choose is as simple as changing DNS servers. Quite simply, if your router gets compromised then all traffic could in theory be tampered with.
Ensuring your home router is on the latest version of its firmware and that the default credentials are changed as soon as possible is of utmost importance in keeping you and your data safe. If you find your router is too old to be updated then ideally you should consider a newer one that is being maintained. The trouble is, as it’s often an “install and forget” device gathering dust on a shelf or even in a cupboard, it’s usually last on the list of devices being monitored. Ideally you should check all your internet enabled devices to see if they have been or could be updated and proceed with utmost urgency if found to be out of date. You could of course look for security software that would scan your connected devices at home and check to see if they are able to be compromised.”