TalkTalk and Post Office customers lose internet access as routers hijacked

Graham Cluley

TalkTalk and Post Office customers lose internet access as routers hijacked

TalkTalk and Post Office customers lose internet access as routers hijacked

BBC News reports:

Thousands of TalkTalk and Post Office customers have had their internet access cut by an attack targeting certain types of internet routers.

A spokeswoman for the Post Office told the BBC that the problem began on Sunday and had affected about 100,000 of its customers.

Talk Talk also confirmed that some of its customers had been affected, and it was working on a fix.

Victims turned to Twitter (presumably they were accessing it via their phone) to express their annoyance.

Talktalk victim 2

Talktalk victim 1

This incident mirrors attacks on broadband routers used by internet users in Germany, which saw 900,000 Deutsche Telekom knocked offline, and Ireland.

The attacks, believed to be perpetrated by a new incarnation of the Mirai worm, are exploiting functionality which allows ISPs to remotely manage their customers’ broadband routers. I can fully understand why ISPs want that kind of ability to reduce the support burden, but surely it would be better if connections were only allowed from the ISP’s own managed network rather than any Tom, Dick or Harry based anywhere in the world?

Customers of Hull-based KCOM said it had also affected, with approximately 1000 users reportedly unable to access the internet:

“We have now identified that the root cause of the problem was a cyber attack that targets a vulnerability in certain broadband routers, causing them to crash and disconnect from the network. The only affected router we have supplied to customers is the ZyXel AMG1302-T10B.”

Vulnerable Post Office and TalkTalk routers include the Zyxel AMG1302 and D-Link DSL-3780, which if unpatched can be remotely hijacked by malicious attackers. Presently infected devices are just being used to scan the internet for more victims, but it’s surely only a matter of time before criminals use the botnet army they are creating to launch massive denial-of-service attacks.

TalkTalk is advising customers that if they reboot their routers this will wipe the malicious code from the infected devices:

We are aware some customers have lost connectivity to the internet and have a red light showing on the router. If you have been impacted by this issue please reboot your router by switching it off and on again which should resolve the problem.

Rebooting should download a new update to affected routers. That firmware patch is essential – because if it’s not installed your router is still vulnerable – and is likely to become infected again.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “TalkTalk and Post Office customers lose internet access as routers hijacked”

  1. As interestingly over reported as this is… has anyone actually carried analysis on both the "Mirai" botnet and the symptoms being presented? Funny that tech savvy engineers reported this countless times previously about the variety (inclusive of TR-069) holes in consumer routers. Odd that it's supposed to attack known credentials, yet there are a number of these routers that have had their credentials changed and still suffered repeated restarts, resets and then forced firmware having to be applied as a "patch". Has anyone noticed that said "fix" to close these holes actually has left several still wide open? I see little in facts, lots in assumptions and errors repeating themselves!

  2. Could we be affected? We have the ZyXEL_37D4 router and it keeps disconnecting. Phoned our provider and they say everything is good their end.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.