Zyxel AMG1302 home router model
Zyxel AMG1302 home router model

Over 100,000 UK Internet customers had connectivity problems over the weekend, with most of the affected users being clients of the UK Postal Office, TalkTalk, and Kcom ISPs.

To blame for the problems is a recent version of the Mirai malware, which also caused havoc in Germany over the same weekend, where it knocked offline over 900,000 Internet and telephony customers of Deutsche Telekom.

Hackers are trying to hijack home routers, causing problems for users

According to multiple security firms that analyzed this recent Mirai version, it appears that the crooks behind the IoT worm have added support for exploiting a vulnerability found in multiple router models.

The vulnerability allows the Mirai malware to execute code on infected devices. Exploitation occurs via port 7547, running as part of the TR-069 protocol, which is used by ISPs to manage customer routers from a remote location.

In Germany, crooks used this exploit to target over 900,000 Speedport routers. In the UK, the attackers found the flaw in three different router models, but in lesser numbers. These are the Eir D1000 Modem, the Zyxel AMG1302, and D-Link DSL-3780 routers.

The UK Post Office's Internet broadband service was the most affected, with over 100,000 customers. The Post Office deploys Zyxel AMG1302, as does Kcom. TalkTalk customers that had D-Link DSL-3780 routers were also affected, but not in massive numbers.

Situation resolved via router firmware updates

Just like Deutsche Telekom, UK ISPs have prepared firmware fixes and have been asking clients to reset their routers, a process that automatically starts the firmware update process.

In an incident report, TalkTalk says it fixed the Mirai problem. Some UK Post Office Internet customers are still reporting problems, but the situation seems to have been resolved.

The crooks behind this variant of the Mirai malware are also renting access to their botnet, which can be used to carry out large-scale DDoS attacks. This is the same botnet that was involved in an attempt to bring down Internet connections for several Liberian ISPs.

Since our report about the botnet going up for rent over the weekend, the size of the botnet has grown from 400,000 bots to nearly 3,000,000, one of the hackers claimed.

In an interview with Motherboard, the same hacker apologized for the downtimes, saying it was an accident, which he didn't mean to happen.