Slashdot Mirror

← Back to Stories (view on slashdot.org)

US ISP Goes Down As Two Malware Families Go To War Over Its Modems (bleepingcomputer.com)

Posted by BeauHD on from the new-kid-on-the-block dept.

An anonymous reader writes from a report via Bleeping Computer: Two malware families battling for turf are most likely the cause of an outage suffered by Californian ISP Sierra Tel at the beginning of the month, on April 10. The attack, which the company claimed was a "malicious hacking event," was the work of BrickerBot, an IoT malware family that bricks unsecured IoT and networking devices. "BrickerBot was active on the Sierra Tel network at the time their customers reported issues," Janit0r told Bleeping Computer in an email, "but their modems had also just been mass-infected with malware, so it's possible some of the network problems were caused by this concomitant activity." The crook, going by Janit0r, tried to pin some of the blame on Mirai, but all the clues point to BrickerBot, as Sierra Tel had to replace bricked modems altogether, or ask customers to bring in their modems at their offices to have them reset and reinstalled. Mirai brought down over 900,000 Deutsche Telekom modems last year, but that outage was fixed within hours with a firmware update. All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

15 of 93 comments (clear)

  1. No link to relevant article about sierratel by williamyf · · Score: 2

    but there is alink about previous incident in Deutsche Telekom?

    What gives?

    the level of the editors keeps getting lower or what?

    Beadhull, get away from that Keyboard, you need a few cups of coffee! Now!

    --
    *** Suerte a todos y Feliz dia!
  2. Yet another case for VPN tunnels by Foxhoundz · · Score: 2

    Hacked modem or not, assuming you actually use a respectable router (e.g. VyOS/Edgerouter), you can at least avoid main-in-the-middle attacks due to the fact that that packets will be encrypted by the time they ingress your modem on their way to the CMTS. That being said, it still won't stop the modem from becoming a zombie device itself. ISPs have a burden to resolve this as A) they and they alone lock down your device and manage it remotely via SNMP and B) their network is sending you the malicious unsolicited data from their network to yours.

    1. Re: Yet another case for VPN tunnels by FrankHaynes · · Score: 2

      The ISP manages their own devices from the WAN side, how else could they do it?

      Another poster mentioned SNMP; I did not know that, I thought it was some non TCP/IP protocol unique to cable modems. But either way they bear at least some responsibility for deploying these things in a way that allows these attacks to succeed so widely.

      --
      slashdot: A failed experiment.
  3. Bricked or not? by Nkwe · · Score: 4, Insightful
    From the summary

    All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

    If the bricked devices were fixed, then they really were not bricked.

    1. Re:Bricked or not? by Anonymous Coward · · Score: 3, Informative

      Bricked means the device is unsalvagable (by the end user.) You can typically salvage such devices by returning them to the manufacturer and having them JTAG the device to replace the firmware. Most cable/DSL modems can be updated via TFTP, but only if the device hasn't been wrecked beyond recovery.

      For example, any wireless router/modem can be destroyed permanently by setting the radios to maximum power and then connecting to each other so that they generate excessive amounts of EM radiation and eventually it will melt the amplifiers on at least one of the radios. It's like going from sitting inside a jet to sitting in front of the jet engine.

      DOCSIS cable modems can also destroy an entire neighborhood, trash the firmware in the right way and the cable modem will scream over the RF line and take out everyones modems. Not too different from how old pre-docsis modems would drown out a neighborhood every time someone loaded up winmx or kazaa

    2. Re:Bricked or not? by swillden · · Score: 2

      I don't think you can ever permanently "brick" something. In this case they probably reflashed the firmware through the JTAG port or something similar. Bricked to the consumer but not the supplier.

      You can permanently brick a device, even without hardware damage. Phones, for example, should have JTAG completely disabled for security (though many OEMs fail to do this), and depending on various bits of low-level config devices can get into a completely unflashable state. If the onboard firmware that accepts flashed images does something like sign the images with a key embedded in the SoC, and the ROM refuses to run unsigned firmware, and you can't flash normally any more, then even removing the flash memory and writing to it directly may not revive the device.

      Plus, software can sometimes do hardware damage, which can perma-brick.

      But, yeah, in the vast majority of cases where a device is "bricked", it can actually be revived by the manufacturer or their RMA centers. Even if JTAG isn't available and the system is tightly locked down, they typically have some keys they can use to sign messages to disable portions of the security infrastructure, specifically so that they can revive (and resell) bricked devices.

      I do low-level Android development and end up bricking a few devices every year. It's pretty rare that they can't be revived by the manufacturer, but it does happen.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. Companies deploy hardware without any upgrade plan by jfdavis668 · · Score: 3, Informative

    Companies rent you hardware, and they give no thought to upgrades. Not only ISPs, but cable boxes and other such devices. As long as it works when installed, that's good enough. To be properly secure, you need to keep up with security updates.

  5. Liability by sit1963nz · · Score: 4, Interesting

    Perhaps it is time that manufacturers have to accept liability for faulty software.

    There are many things that are considered bad practice (or outright stupidity) that make it into the consumer market, these should be punished.
    The lack of timely firmware updates (or even any updates), should be punished.
    Hardcoded accounts/passwords should be punished
    Telnet/SSH access from the DSL side on by default should be punished
    Wireless not requiring a password (a complex one !) before the wireless can be enabled should be punished

    If manufacturers had to shell out $1000 per item for this sort of behaviour a lot would go to the wall, the others would clean up their act quickly.

    And NO, manufacturers can not opt-out/contract out of this (if they try, make it $5000 an item).

    Sure, no software is perfect, but thats not the problem, its that so much junk is put out there with no attempt to make it secure. The average home user can not be expected to do this themselves.

  6. Re:Crook? by Doke · · Score: 2

    I agree with your definitions. However, the BrickerBot author is closer to a vigilante hero, than a criminal.

  7. King Graham has fallen so far! =( by An+Ominous+Cow+Erred · · Score: 3, Informative

    For those not in the know, this company is the heir to Sierra On-Line/Sierra Entertainment/Yosemite Entertainment in Oakhurst, CA. They created King's Quest, Space Quest, Police Quest, Leisure Suit Larry, et al. After the studio joined Codemasters they remained in Oakhurst until at some point it became an ISP. I'm not sure if any of the original folk are still there.

    Relevant Wikipedia Entry

    (The Sierra name lives on as a trademark of Activision, but in name only. The hallowed halls of that great studio are now an ISP.)

    1. Re:King Graham has fallen so far! =( by An+Ominous+Cow+Erred · · Score: 2

      To clarify, at one point Sierra tried to create their own online gaming network. This was *NOT* an internet-based network, but something you could connect to directly via dialup with a POTS modem. This later on became the ImagiNation network, which was purchased by AT&T.

      https://blog.codinghorror.com/...

      As I understand it, the facilities originally created for this (since upgraded to support DSL service) were repurposed by the people involved into an ISP. All of this is based in the old Sierra headquarters in Oakhurst. It's funny, because what was originally "On-Line Systems", with no networking component, later became "Sierra On-Line". This became "Sierra Entertainment", which then attempted to create an on-line network, which later became an ISP. Therefore SierraTel is now more "on-line" than "On-Line Systems" ever was.

  8. Re:Linux Fails It by Anonymous Coward · · Score: 2

    Yeah, a Windows device would never just reboot to apply a new windows-upda"/(*)/)"(/ç"ç

    NO CARRIER

  9. While true, that's insufficient and impractical by raymorris · · Score: 2

    True, it would be much more secure (in one way) if administration was only possible from the local, lan-side port. However, that's neither practical nor sufficient.

    First, some people can't effectively and reliably admin their own modem. They need the cable ISP to manage it. The ISP is on the external side. So the ISP needs access from the outside. That *should* be secured reasonably well, though.

    Second, iframe src=http://192.168.1.1/admin/changepasswd.php?newpass=yourfucked

    Putting that into any web page will cause the browser, which is on the internal network, to access the router or modem. So restricting access to be from the local network only is insufficient for security.

  10. Re:Crook? by Zocalo · · Score: 2

    My view too. Janit0r is absolutely a vigilante, but currently BrickerBot (and the less destructive Hajime) are only active "solutions" to the various IoT botnets such as Mirai and, from their posts, I believe (s)he would stand down as soon as more active steps were taken by the vendors, ISPs, and owners. Far from ideal but, until those in a position to do something about it in a less disruptive manner step up to the plate, if that's the only option for the rest of us caught in the firing line, then I'll live with it. Keep calm, and carry on bricking!

    As for this specific incident, although Zyxel has to take some blame for shipping broken routers in the first place, I'd say the main culprit here is actually SierraTel, both for their failure to implement secure central management of their modems in the first place, but mostly for failing to learn from Deutsche Telekom's experience and remediating that error, despite having *six months* to do so. Clearly that has now cost them financially and in customer satisfacation, which should hopefully server as a wake up call to anyone else in a similar situation and dragging their feet over deploying a solution. Somehow, I don't think SierraTel is going to be the only ISP to have this kind of problem though.

    --
    UNIX? They're not even circumcised! Savages!
  11. Have you modified your toaster yet? by Overzeetop · · Score: 3, Insightful

    1) I was unaware that website currently require that you manually execute each script

    2) Show me a commercial OS with a supplied browser that includes a good adblocker and a NoScript installed and properly configured by default.

    Computers are basically appliances for 80% of the users on the internet now. I can mod my toaster and replace the plug with a grounded type, and only plug it into a GFCI outlet to reduce the risk of shock, but everybody else just plugs theirs in and makes toast. Until OS makers start putting actual, safe browsers on their products, instead of the two-bare-wires versions they currently include, the problem isn't actually with the users. It's with the negligent programmers.

    --
    Is it just my observation, or are there way too many stupid people in the world?