Investigating the RCE attack that knocked out 900,000 German routers on Sunday
I woke up this morning to news that 900,000 customers of Deutsche Telekom in Germany were hit by network outages. My first thought was that this was simply a configuration issue or hardware failure which happens from time to time. However, one thing stood out to me: In a German news article, Deutsche Telekom was quoted saying that a reboot of the affected DSL router is fixing the problem temporarily. With this piece of information, it made me think that something influenced the routers from the outside and a reboot fixed the issue, until the same device was hit again. Could this be a mass-scanning attack similar to how the Mirai botnet was formed?
Indeed, just a little later, the SANS Internet Storm Center published an article about an attack on port 7547, which is used for consumer router remote maintenance through the TR-069 protocol. An intercepted packet showed how a RCE (remote code execution) vulnerability in the <NewNTPServer> part of a SOAP request was used to download and execute a file to infect the device.
Investigating network activity
Eager to investigate this more, I opened the Graylog Web Interface that collects information about all network connections of a static IP address in Texas.
I ran a simple query over all data of the last two weeks to see all connection going to destination port 7547:
This returned 1573 connection attempts to that port and a pretty clear histogram:
To put this into perspective, we only recorded 11 attempts before this wave of connection attempts that started at exactly 8 am CST on Saturday, November 26.
A quick analysis on the firewall response to these packets show us that 100% of them were rejected in our case:
To dive further, I looked at the origins of these connection attempts to try to figure out if this was coming from a few remote addresses or a botnet style attack from many different infected hosts:
In a total of 1568 attacking remote hosts, there are only two that attempted more than a single connection to our network, showing this is clearly a botnet-based attack.
Below shows the map of where the remote hosts are located:
There are two clear clusters of attacking hosts in Great Britain and Brazil.
Another quick analysis also showed that there were no connection attempts from inside our networks to internet addresses on port 7547. We set up an alert to be notified if this should happen because this would be a clear indication that one of our machines was part of the attacking botnet.
We’ll update this post if patterns are starting to change. Currently the attacks show no sign of winding down.
If you are a Graylog user, run the simple dst_port:7547 query with network data. Share your findings in the comments section below.