After last year’s TalkTalk data breach that allowed a 17-year-old hacker to steal 157,000 customers’ personal details, the business received a hefty fine of £400,000 in October for implementing poor website security. Now, just when TalkTalk thought they were safe, another cyber-attack has struck them by surprise.
On 27th November 2016 a major cyber-attack involving the Mirai worm targeting home routers resulted in at least 55,000 of TalkTalk’s customers losing internet connection for several days. The same attack was also responsible for a mass shutdown of 900,000 Deutsche Telekom routers with the Post Office also reporting that 100,000 of their routers were affected.
TalkTalk confirmed that its D-Link DSL-3780 routers were compromised, due to vulnerabilities in its code. However the threat did not stop there, further evidence by a security researcher, Ken Munro showed that this particular router model suffered a second malware infection after the initial attack forcing the router to reveal its Wi-Fi password and SSID code. A new variant of the Mirai worm referred to as TR-06FAIL compromised the routers security as criminals could use the credentials to snoop on customers’ internet activity, steal further passwords or financial data and possibly change settings on the router.
Although clear evidence has been brought to the table by Munro and the BBC indicating that customers’ router credentials have been stolen, TalkTalk is being criticised for how they are dealing with the crisis. They are advising customers that there is “no need” to change their routers’ settings, instead, they suggest to just reset the router. Munro is certain that the consequences of the second attack will still leave the routers vulnerable even after a reset, he suggests: "TalkTalk should seriously consider replacing customer routers immediately unless it can prove they haven't been compromised."
However, TalkTalk should not be the only ISP to be worried about this malware as yet again the infamous Mirai worm has found its way into the headlines attacking its new TR-06FAIL variant. This modified version of the worm attacks a newly discovered vulnerability called TR-064 (CPE WAN Management Protocol, or CWMP) which is widely used by many ISPs around the world to remotely manage network routers. Research by Imperva Incapsula revealed that in the UK there were 2,398 Mirai infected home routers being used as botnets and 99% of those were TalkTalk routers. TalkTalk became aware of this situation and released an update to fix the routers’ vulnerability which closes the TR-064 interface and resets the router.
It has been two months since the source code for the Mirai worm was released on the HackForum website and since then it has caused a large number of disturbances worldwide including the largest DDoS attack in history . All ISPs are aware of its presence and are advised to apply patches to routers solving the TR-064 issue, but who knows when the next variant of the worm could attack? These are indeed worrying times.