Two malware families battling for turf are most likely the cause of an outage suffered by Californian ISP Sierra Tel at the beginning of the month.
This outage took place on April 10, 2017, when Sierra Tel customers started complaining about losing Internet and telephone connectivity.
While initially there were unconfirmed rumors that the company had botched a firmware update, in a statement released the following day, on April 11, Sierra Tel admitted it was the victim of a "malicious hacking event."
The company said someone targeted and hacked Zyxel modems model HN-51, all of which couldn't connect to its network anymore.
As the number of complaining users kept growing, Sierra Tel representatives asked customers to drop their Zyxel modems at their offices, where they could get a replacement.
The company underestimated the size of the incident, and after a few hours, it ran out of replacement modems, while customers formed long lines outside their offices.
Subsequent clients who came to receive replacements were asked to leave their devices at the company's offices, promising that staff would repair the modem, and give them a call when it would be ready.
On Saturday, April 22, almost two weeks later, Sierra Tell representatives announced they finally managed to finish repairing all the affected modems.
"The Sierra Tel family is pleased to report that we have nearly completed our response to the highly disruptive impacts of the illegal hacking of the HN-51 modem," the company wrote on Facebook.
The outage was only reported by the local press and got little attention from national media, as it only affected Sierra Tel customers in the cities of Mariposa and Oakhurst, California.
The incident was brought to Bleeping Computer's attention by Janit0r, a man who claims to have developed BrickerBot, an IoT malware family that bricks unsecured IoT devices.
"BrickerBot was active on the Sierra Tel network at the time their customers reported issues," Janit0r told Bleeping Computer in an email, "but their modems had also just been mass-infected with malware, so it's possible some of the network problems were caused by this concomitant activity."
Janit0r suggested the other culprit was Mirai, a malware also known to cause similar issues. Last year, a hacker known as Popopret deployed a defective Mirai version that caused over 900,000 modems belonging to Deutsche Telekom to go offline for nearly a day, before the German ISP retook control over its devices via a firmware update. A week later, several British ISPs suffered the same fate.
While it is impossible to say what caused the Sierra Tel modems to go offline, all clues line up with BrickerBot entering "Plan B," the sequence Janit0r says is responsible with bricking devices.
In a previous interview with Bleeping Computer, Janit0r said that BrickerBot is not intentionally configured to destroy devices. The malware will first try to secure the device, but if it fails or the device cannot be secured, it will wipe its flash storage and rewrite with random data. These actions render targeted devices useless, needing repair or replacement, the exact same actions Sierra Tel took.
Janit0r also said he developed BrickerBot to go after the same devices targeted by other IoT malware families, which makes pinpointing the source of Sierra Tel's outage even harder.
It's quite possible that Sierra Tel's Zyxel modems went offline as the result of a secret turf war waged among various families of IoT malware, such as Mirai, BrickerBot, Hajime, Wifatch, Gafgyt, Imeij, and others. As more and more IoT malware families emerge, they will eventually cause more problems like the Sierra Tel incident.
"I'm worried that Sierra is unfairly getting some bad PR for being honest about the hack rather than covering it up," Janit0r wrote in another email. "I think Sierra did the right thing by being transparent to its customers. [...] I've seen other ISPs covering up such problems as 'bad firmware upgrades' or 'temporary connectivity issues'."
Nevertheless, Janit0r is not willing to give Sierra Tel too many praises.
"Sierra Tel should've locked down their network better, to begin with," Janit0r also added. "Having control interfaces filtered from the WAN [Internet] is critically important for any ISP deployment."
The "control interface" Janit0r is referring to is most likely TR-069, known to have security issues, and which Mirai has exploited in the past. In fact, this is the same control interface that Mirai exploited in the aforementioned incidents that took place in Germany and the UK, last year, and which also involved Zyxel modems.
Sierra Tel has not responded to numerous requests for comment from Bleeping Computer, but said on Facebook that is working with law enforcement to track down and catch the culprit of "this illegal and malicious hacking of the ZyXel HN51 modems."
Over the weekend, Radware, the cyber-security firm who first spotted BrickerBot issued another report unveiling two newer versions of the BrickerBot malware, with different bricking techniques compared to the first samples they discovered. The company also has a series of recommandations for keeping IoT devices safe from BrickerBot and other IoT malware.