Weekly Threat Report 9th December 2016

Created:  09 Dec 2016
Updated:  09 Dec 2016
This report is drawn from recent open source reporting

Infected routers vulnerable to further attacks?

A small number of TalkTalk and Post Office domestic Wi-Fi routers are reportedly vulnerable to a new variant of the Mirai malware known as ‘Annie’. The denial of service experienced by TalkTalk and Post Office customers last week is said to have been an unintended consequence of the attacker, who goes by the name ‘BestBuy’. The attack sought to infect vulnerable routers with ‘Annie’.

Recently, BestBuy also claimed to have set up a server to push out malicious firmware updates to Annie-infected/vulnerable routers. Firmware is software embedded within the router, enabling it to function. By pushing out malicious firmware updates, BestBuy claims to be able to lock out ISPs and home users, effectively granting persistent access to the router.

To date, there is no evidence of these infected routers ‘in the wild’. However, it is interesting to consider the motivations behind this activity. BestBuy could be seeking to grow the botnet, and is potentially doing so in a way that prevents others from infecting devices with their own malware variants. 

On a separate note, a security researcher has raised concerns that TalkTalk router credentials could be stolen by attackers, using a ‘GetSecurityKeys’ request. This request returns information on the service set identifier (SSID) codes and the media access control (MAC) addresses, which could be used to reveal the physical location of routers. Router passwords could then be used to access the Wi-Fi network, should someone travel to the identified property.


CloudFlare notes unusual new DDoS activity

According to security firm CloudFlare, a large distributed denial of service (DDoS) attack was identified and dealt with, with no impact to customers, by the firm's mitigation service. The attacks started on 23 November and ran until 2 December, with the attacker working approximately 8 hours a day (from 1300 to 2100 EST) until the last day when the DDoS lasted a full 24 hours. 

The attacks were concentrated largely on the west coast of the United States, with CloudFlare surmising the targets were "gaming sites and virtual goods sites and services". The attacks peaked around 400 Gigabits per second (Gbps) on the first day and went over 480 Gbps on the third day. CloudFlare noted that the attacks were not coming from the Mirai botnet but were launched by a different tool aimed at the Transmission Control Protocol.

CloudFlare has not indicated who the attacker might be, but noted the pattern of attacks was unusual.  The eight-hour shifts imply a highly professional threat actor and could be indicative of organised crime, state actors or hacktivist groups.  Kaspersky Lab's IT Security Risks study in 2016 suggested that DDoS appealed to criminals as a smokescreen for other criminal activities. When businesses were victims of cyber crime, DDoS was frequently used as part of the attack tactics.


‘Avalanche’ cybercriminal network arrests

A major cyber crime network, responsible for hosting and distributing up to 20 different types of malware over several years, has been dismantled by a joint international law enforcement operation.

The group, known as ‘Avalanche’, operated one of the largest botnets in the world, using up to half-a-million infected computers on a daily basis. This distributed cloud-hosting network was used by cyber criminals to host malicious infrastructure and deliver malware, such as banking trojans and ransomware, through phishing emails. The network was especially resilient as it used a fast-flux technique which allowed attackers to hide behind an ever-changing network of compromised computers.

A four-year investigation, involving agents and prosecutors in over 30 countries, including the UK, resulted in five arrests and servers supporting Avalanche being seized or forced offline. Law enforcement used ‘sinkholing’ to infiltrate the network, a technique which redirected Avalanche internet traffic to law enforcement-controlled servers. Europol said this operation marked the largest-ever use of sinkholing to combat botnet infrastructures and the National Crime Agency reported that 830,000 malicious web domains connected to Avalanche's activities had been taken down, over 2000 of which had .uk addresses.

The long-term effectiveness of such operations is difficult to predict due to the motivations and resilience of cyber crime groups. We do know, however, that those operations which combine arrests and infrastructure seizures with malicious domain take-downs have the best chance for sustained impact.



Linux and Unix-based systems, among others, received mainly platform-agnostic/cross-platform updates, with no single sector being identified as disproportionately impacted this week. It has been a relatively quiet week with no major vulnerabilities to report.

Mozilla fixed a use-after-free vulnerability in Firefox which could allow a remote user to execute arbitrary code on the target user’s system (a remote code exploit or RCE for short). Fortinet updated FortiGate and FortiOS to fix a problem whereby a local user could obtain hashed passwords on the target system.

FreeBSD saw a couple of different updates to prevent elevation of privileges and bypassing of security controls, while Apache fixed a problem in HTTPD & HTTP/2 header processing which could lead to excessive resource consumption. There were also updates from Xen, SPIP, NetApp, b2evolution, IBM iNotes and BMC Patrol.

A variant of a previously fixed Apple iOS buffer overflow vulnerability is still awaiting a fix.


Was this report helpful?

We need your feedback to improve this content.

Yes No