Weekly Threat Report 2nd December 2016

Created:  02 Dec 2016
Updated:  02 Dec 2016
This report is drawn from recent open source reporting.

Mirai targets router vulnerability

On Sunday 27th November 900,000 Deutsche Telekom customers were impacted by an attack from an adapted version of the Mirai worm. The attack resulted in customers being unable to connect to the Internet. This was followed by reports on Thursday 1st December that 100,000 Post Office customers had been similarly impacted as were UK customers of the Internet Service Provider (ISP) TalkTalk. The attack used the Mirai code, which scans and comprises IoT devices using default passwords, and combined it with an exploit allowing it to scan for routers with the remote code execution vulnerability TR-069. The recently published vulnerability, resulting in affected routers leaving Internet port 7547 open to external connections, was also linked to an attack against Irish telecoms company Eircomm.

The Mirai worm has previously been associated with other DDoS incidents such as the October attack of DNS provider Dyn which caused several website outages. The Mirai source code was subsequently published online, making it available to numerous actors to use as an attack methodology.  Deutsche Telekom has pushed out, and TalkTalk has stated that it is currently working on, a fix to impacted routers. A spokeswoman for TalkTalk stated, "Along with other ISPs in the UK and abroad, we are taking steps to review the potential impacts of the Mirai worm."

San Francisco Municipal Transit Agency

The San Francisco Municipal Transit Agency (SFMTA) was victim of a ransomware attack last week which disrupted some of its internal systems, including its email servers. The individual responsible demanded a bitcoin ransom payment to unlock the files, which the SFMTA refused to pay. The attacker also threatened to expose 30GB of data allegedly obtained from the SFMTA network during the attack. However, this threat remains unsubstantiated as a spokesperson for the agency confirmed that no data had been accessed from their servers.

The ransomware attack caused several of the light rail's ticketing kiosks to become unavailable, forcing the agency to offer free travel for much of the weekend to minimise disruption to customers. SFMTA reported that the attack had no impact on transit services; however, the agency did lose a weekend of ticket revenue as a result. This is one of the first reported ransomware attacks against the US transportation sector. Although the impact of this attack was relatively limited in this instance, it highlights a 'proof of concept' which could be used anywhere.

Was this report helpful?

We need your feedback to improve this content.

Yes No