cancel
Showing results for 
Search instead for 
Did you mean: 

Post Office and Talk Talk routers in cyber attack

Community Veteran
Posts: 16,862
Thanks: 1,141
Fixes: 13
Registered: 06-11-2007

Post Office and Talk Talk routers in cyber attack

Report from BBC NEWS site...

 

customers using POST OFFICE and TALK TALK routers to access the internet, have been disable/hijacked cutting them off from the internet.

 

and it appears, that, despite many claims by the LINUX FRATERNITY on this forum, that LINUX is SAFER than WINDOWS from virus attack,.... it seems that these routers use a LINUX base

 

http://www.bbc.co.uk/news/technology-38167453

 

 

***************************************************************************************************************************************************

It involves the use of a modified form of the Mirai worm - a type of malware that is spread via hijacked computers, which causes damage to equipment powered by Linux-based operating systems.

 

***************************************************************************************************************************************************

 

 

34 REPLIES
St3
All Star
Posts: 2,405
Thanks: 389
Fixes: 2
Registered: 13-07-2012

Re: Post Office and Talk Talk routers in cyber attack

Talk talk customers ... hmm so 10 people were affected then ?

Win 10
i7 7700k
GTX 970
rongtw
Seasoned Hero
Posts: 6,337
Thanks: 1,156
Fixes: 11
Registered: 01-12-2010

Re: Post Office and Talk Talk routers in cyber attack

Are PN routers at risk Huh 

Asus ROG Hero Vii Z97 , Intel i5 4690k ,ROG Asus Strix 1070,
samsung 850evo 250gig , WD black 2 TB . Asus Phoebus sound ,
16 gig Avexir ram 2400 , water cooling Corsair H100i gtx ,
Corsair 750HXI Psu , Phanteks Enthoo pro case .
jab1
Seasoned Pro
Posts: 1,508
Thanks: 268
Fixes: 5
Registered: 24-02-2012

Re: Post Office and Talk Talk routers in cyber attack

@rongtw - they haven't been mentioned in the ISPReveiw story I read (I'll see if I can find it later), but that story did say routers withe default password were most at risk. AFAIK, PN routers all have an unique password.

http://www.ispreview.co.uk/index.php/2016/11/talktalk-isp-routers-potentially-vulnerable-new-mirai-w... - but that's thanks to Gel in another thread.Wink

John
Community Veteran
Posts: 38,251
Thanks: 937
Fixes: 56
Registered: 15-06-2007

Re: Post Office and Talk Talk routers in cyber attack

 it would appear that those routers have TR-064 open for command which they shouldn't

As linked in the above post

Community Veteran
Posts: 7,928
Thanks: 603
Fixes: 8
Registered: 02-08-2007

Re: Post Office and Talk Talk routers in cyber attack

Am I not correct in thinking that over 90% of big business use Linux Systems ?

Community Veteran
Posts: 6,286
Thanks: 446
Fixes: 40
Registered: 30-07-2007

Re: Post Office and Talk Talk routers in cyber attack

It's not a Linux vulnerability as such, it's a TR-064/TR-069 bug. It's just that most of the routers use a Linux kernel and will use a lot of common (GPL) code. Linux servers in general are not likely to have TR-064/TR-069 code in them 

Community Veteran
Posts: 7,928
Thanks: 603
Fixes: 8
Registered: 02-08-2007

Re: Post Office and Talk Talk routers in cyber attack


St3 wrote:

Talk talk customers ... hmm so 10 people were affected then ?


Are you sure they have that many customers, seems a high figure to me ?

Wink

harrym1byt
Rising Star
Posts: 106
Thanks: 14
Registered: 15-10-2016

Re: Post Office and Talk Talk routers in cyber attack


shutter wrote:

Report from BBC NEWS site...

 

customers using POST OFFICE and TALK TALK routers to access the internet, have been disable/hijacked cutting them off from the internet.

 

and it appears, that, despite many claims by the LINUX FRATERNITY on this forum, that LINUX is SAFER than WINDOWS from virus attack,.... it seems that these routers use a LINUX base

 

http://www.bbc.co.uk/news/technology-38167453

 

 

***************************************************************************************************************************************************

It involves the use of a modified form of the Mirai worm - a type of malware that is spread via hijacked computers, which causes damage to equipment powered by Linux-based operating systems.

 

***************************************************************************************************************************************************

 

 


 

"TalkTalk also confirmed that its D-Link DSL-3780 routers were affected but said only a small percentage of its customers used them."

I'm ex-TT and using the 3780 now with PN. My ability to access web sites went on a desperately slow motion Sunday, Monday and Tuesday - until I rebooted the router and everything else. I was on the verge of complaining about poor PN access when I rebooted. I wonder if there is a fix?

Community Veteran
Posts: 16,862
Thanks: 1,141
Fixes: 13
Registered: 06-11-2007

Re: Post Office and Talk Talk routers in cyber attack


harrym1byt wrote:

I wonder if there is a fix?

 

use another make of router ? ? ? 

Slarti
Hooked
Posts: 8
Registered: 03-12-2016

Re: Post Office and Talk Talk routers in cyber attack

As I understand it the worm scans for open ports, on TalkTalk' IP range it was TCP port 7547 which I believe is open for remote help from them.

 

Now if I am correct Plusnet also offer remote help for users of their provided modems, so the question is, are plusnet provided modems susceptible to a similar attack from a version of the Mira worm modified to scan for plusnet customers?

Personally I don't use plusnets modem but if I did I would like to know if a vulnerability exists, is there an open port used for remote help and which port they use. You could then check to see if that port is open and close it.

 

Further reading http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/ and http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/

Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: Post Office and Talk Talk routers in cyber attack

the port alone being open is not sufficient for such an attack to take place.
it was the combination of a known open port AND a root password which was also known (due to the device using a default password).
Community Veteran
Posts: 4,921
Thanks: 343
Fixes: 16
Registered: 10-06-2010

Re: Post Office and Talk Talk routers in cyber attack

It's not just about the open port and known password, it's that the open port is accepting TR-064 commands, which it's not supposed to, regardless of any password. And then there's a further flaw (the handling of the NTP server setting) used to make the router download and execute the malware.

It shouldn't take long for someone to set up an online checker for the TR-064 acceptance flaw if there isn't such a checker already.

Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: Post Office and Talk Talk routers in cyber attack

yes, but if the password is not the default then such a hack is unlikely to take place.
unless such a hacker is then going to try and brute force the password.

so you need at least two things for it to be an issue, and one of those things is very easily solved.
Community Veteran
Posts: 4,921
Thanks: 343
Fixes: 16
Registered: 10-06-2010

Re: Post Office and Talk Talk routers in cyber attack

The default password is usually the device's serial number. And there's a TR-064 command that doesn't need a password that can be used to read device info, which includes the serial number.