If you haven’t heard of Mirai, perhaps you’ve been hiding under something that’s not directly connected to the Internet – like a rock, maybe?! Or, you might be saying, “that Mirai thing sounds vaguely familiar. But, why should I care”?
All stone-age puns aside, the Mirai malware (Japanese for “the future”) is an exploitation that targets systems with specific vulnerabilities and turns them into remotely controlled “bots”. These infected systems are connected together to form massive botnets that can be used to generate large-scale denial-of-service attacks on networks, resources, or specific sites. The Mirai infection has been the source of some of the most recent, and historically-large distributed denial-of-service (DDoS) attacks including: the September 20th 620Gbps attack on Krebs on Security, the September 25th 1-Tbps attack on French hosting site OVH, and the November 28th attack that infected Internet modems and routers at Deutsche Telekom.
How does it spread?
Devices infected with Mirai malware scan the Internet for the IP addresses of vulnerable devices with the goal of replicating itself. By infecting a large number (many millions) of devices, Mirai avoids traditional security systems during its replication phase by targeting IoT devices, routers, and always-on devices which are publically attached to the Internet. Contributing to this rapid propagation of the infection, is the fact that the Mirai source code has recently been made publically available, and the techniques have subsequently been adapted in other malware projects. Especially worrisome for carriers is that the infection has now spread to exploit known vulnerabilities on xDSL, cable modems, and routers directly. More on that below.
It makes sense that IoT devices with weak passwords quickly become infected, but what makes fixed modems and routers so susceptible to Mirai infection?
With hundreds of millions of modems deployed on fixed networks around the world, carriers need a simplified mechanism for pushing software, firmware, and security updates directly to the modem – without the need for subscriber intervention. The standard method to accomplish this is for the carrier to utilize TR-069, which communicates directly with an ISP-controlled server typically known as an “Auto Configuration Server (ACS)”. While most security organizations would naturally firewall port 7547 and other TR-069 ports, thereby blocking traffic from reaching the affected services; blocking TR-069 ports on the router/modem is an impossible option for the carrier without needing to replace, or physically update millions of devices.
The challenge is further amplified by the nature of Mirai in that it is a self-propagating worm; once a single system becomes infected it will quickly propagate to other vulnerable devices within the network, so simply firewalling the network at the boundary will not prevent it from spreading to other modems/routers.
Well, my network hasn’t been affected yet, so I must be immune, right?
The recent attack on Deutsche Telkom’s network that infected upwards of 900,000 customer modems is a foreshadowing of things to come, and should be of particular concern to fixed access providers. Since TR-069 is a globally-adopted means of remotely managing customer premise equipment, the potential for exposure is extremely large. Recent results from active vulnerability scans using the IoT search engine, shodan.io returned a potential exposure of upwards of 46-Million active devices with the vulnerability. However, the exposure may be far greater since many devices with this particular vulnerability have not been specifically cataloged. To understand your network’s potential for exposure, seek answers to the following questions from you network security and operations teams:
- Do we use TR-069 capable modems, routers, or access devices?
- If yes, how many devices are, or potentially could be infected?
- What are we going to do about it?
Okay, I know my exposure. What can I do about it?
At Sandvine, we’ve built a carrier-grade, network security solution to detect, mitigate, and neutralize security threats like Mirai. Sandvine’s Cyber Security solutions are designed to enable the network to defend itself against emerging threats and zero-day attacks, by interfering with the attack during its costly and visible early phases; preventing vulnerability discovery and attack propagation.
Utilizing Sandvine’s QuickSand, a feature of our Network Security product, operators benefit from deploying carrier-grade “decoy and deception” capabilities to mask devices for known vulnerabilities, and provide misinformation on scans for active IP addresses and active ports. Sandvine’s QuickSand neutralizes the effectiveness of Mirai by hindering its ability to propagate through multiple techniques, including:
- Network Scale Tarpitting: Slows down the propagation of attacks and malicious activity by monitoring the IP darkspace and acknowledging requests made by malicious nodes on behalf of the intended target.
- Dynamic Vulnerability Masking: Identifies modems that are publicly presenting a known vulnerability (such as TR-069), and masks this vulnerability to make the modem appear less exposed, and therefore non-attackable.
Unlike traditional security systems that require time-intensive configuration, or rely on rapidly-updated feeds from threat intelligence databases that are often delayed, Sandvine’s QuickSand and Dynamic Vulnerability Masking capabilities actively interfere with the attack kill chain immediately, without requiring additional configuration; effectively enabling the network to pro-actively defend itself.
Reputable security sources close to the TR-069 exploitation agree – that we’re just one small vulnerability away from modems downloading arbitrary code from untrusted sources, and treating it like it’s completely trusted.
It’s time for a proactive approach. If you are a CSP and want to make servers and devices on your network appear less vulnerable to a potential Mirai exploitation, before your network becomes the next newsworthy subject of a cyber security attack, let’s chat about how Sandvine can help you.