Mirai botnet attack hits thousands of home routers, throwing users offline

Germany's federal security office confirmed that almost a million customers in the country were affected by internet outages as a result of the attack.
Written by Zack Whittaker, Contributor

(Image: file photo)

Nearly a million users across Europe were thrown off the internet during the weekend into Monday after criminals tried to hijack home routers as part of a coordinated cyber attack.

Security researchers said that routers given to customers in Germany by their internet providers were at risk of attack from the notorious Mirai malware, most notable for its large-scale botnet that brought parts of the internet offline on the US east coast last month.

Mirai, if used to attack specific targets, can bring down websites, services, or even internet infrastructure, which can mean widescale outages.

The routers, most of which were made by Zyxel and Speedport, had port 7547 open, typically used by internet providers to remotely manage and maintain in case of outage or issue.

The exploit code used to attack the routers is believed to be derived from a modified version of Mirai, which instead of commandeering vast numbers of internet-connected surveillance cameras was used in a botched attempt to hijack home routers. According to the SANS Internet Storm Center, which was first to report the issue, honeypots pretending to be affected routers are receiving exploit orders as quickly as once every five minutes.

According to security researcher Kenn White who tweeted on Monday, there are more than 41 million devices on the searchable internet with port 7547 open.

But instead of diverting those routers' internet traffic to the criminals' intended target to bring websites or services offline, the routers crashed.

Deutsche Telekom, the German internet provider whose customers were affected, said Monday that close to 5 percent of its 20 million customers suffered outages as a result of the malware, beginning Sunday, according to Reuters.

That figure had fallen to about 2 percent by midday local time.

Germany's federal office for information security confirmed in a bulletin on Monday that the malware was also "registered in the government network," but added that it wasn't effective due to the office's security systems.

The telecom had issued a fix (with an English translation), asking users to power down their routers and wait, so that they pull the latest update from the servers upon reboot.

Other customers across Europe, including in the UK as well as Ireland, are vulnerable to similar open-port attacks, reports have said.

Editorial standards