Mirai takes down Talk Talk and Post Office routers

By:
James Pearce
Published on:

More than 100,000 Post Office customers lose internet access, while Talk Talk users also hit in latest cyber attack

A cyber attack targeting a certain type of routers has led more than a million customers losing internet services across the UK and Germany this week, according to reports.

More than 900,000 Deutsche Telekom customers lost internet access earlier this week in an outage the German carrier blamed on a cyber attack. Now, customers from both the Post Office and Talk Talk in the UK have also been hit, according to the BBC.

The attackers are believed to have used the Mirai worm that caused a major outage to Dyn in the US last month to seize control of the routers, knocking customers offline. The attack on Dyn led a number of major websites, including Twitter and Reddit, to be knocked offline.

Mirai is spread through hijacked computers, causing damage to Linux-powered equipment, including the Zyxel AMG1302 router used by the Post Office. It trawls the internet using a list of default passwords to breach passive internet-connect devices.

Around 100,000 Post Office customers are believed to have been affected on Sunday, while the Daily Mail claims up to 360,000 TalkTalk customers were knocked offline. 

A spokesman for the Post Office said: "We would like to reassure customers that no personal data or devices have been compromised. We have identified the source of the problem and implemented a resolution which is currently being rolled out to all customers. For those customers who are still having problems, we are advising them to reboot their router."

Sierra Wireless was also the victim of a 620Gbps distributed denial-of-service attack (DDoS) to its AirLink Gateway in October.

Andy Green, a technical specialist at Varonis, claims the fact that routers are vulnerable because of default passwords is down to “our own IT laziness”.

“Unfortunately, default-itis still plagues large organisations,” he added. “As recently as 2014, the Verizon DBIR specifically noted that for POS-based attacks, the hackers typically scanned for public ports and then guessed for weak passwords on the PoS server or device – either ones that were never changed or were created for convenience, “admin1234”. This is exactly the technique used in the Mirai botnet attack against the IoT cameras.

“You have to plan for attackers breaching the first line of defences, and therefore have in place security controls to monitor and detect intruders. In a way, we should be thankful for the “script kiddies” who launched the Mirai botnet DDoS attack: it’s a great lesson for showing that companies should be looking inward, not at the perimeter, in planning their data security and risk mitigation programs.”

The source code for Mirai was reportedly posted online on Hackforums earlier this week. Synopsys manager of security solutions Adam Brown warned that more attacks like these should be expected in the near future.

"Now that the source code for Mirai is out there this will most likely not be the last that we will see if this type of attack. Modern routers with 1+GHz CPU's make a great platform for a Botnet army and being located at the end of a high speed broadband connection make a great base for executing a DDoS attack. This outage may just be the first symptom of these infections. Suppliers of hardware like this must ensure they govern their supply chain."