[This is a cleaned up version to summarize yesterdays diary about the attacks against DSL Routers]
What is TR-069
TR-069 (or its earlier version TR-064) is a standard published by the Broadband Forum. The Broadband Forum is an industry organization defining standards used to manage broadband networks. It focuses heavily on DSL type modems and more recently included fiber optic connections. TR stands for Technical Report. TR-069 is considered the Broadband Forums Flagship Standard. [1] Many ISPs and device manufacturers are members of the broadband forum.
TR-069 allows ISPs to manage modems remotely. Port 7547 has been assigned to this protocol. Some devices appear to use port 5555 instead. I havent found a standard defining port 5555 for this use, but it may be an older version. The standard suggests the use of TLS 1.2but doesnt require it, and TLS would not have made a difference in this case. Authentication can happen via certificates, or
TR-069 messages are encoded using SOAP. These SOAP requests include a message that is then parsed by the modem (CPE, " />
The Vulnerability Exploit
On November 7th, 2016, kenzo2017 posted a blog post showing how the TR-064 NewNTPServer feature can be used to execute arbitrary commands. The blog post mentioned only the D1000 modem used by Irish ISP Eir as vulnerable[2]. As a proof of concept, the blog post included a Metasploit module to execute commands, and to retrieve the modems WiFi password. This particular modem is a rebranded modem manufactured by Zyxel. Other Eir modems (e.g. P-60HN-T1A_IPv6) were found to be vulnerable as well. There is no mention of Eir being notified of this issue. I also cant find a CVE number for this vulnerability.
This isnt the first time TR-069 implementations were found to be vulnerable. Over the last couple of years, a number of different issues were discovered, most notably a Misfortune Cookie bug (%%cve:2014-9222%%).
Deutsche Telekom Outage
On Sunday, November 27th, 2016, a large number of Deutsche Telekom customers reported connectivity problems. These issues were later traced to attacks against a particular type of modem. Deutsche Telekom uses the brand name Speedport for its modems, but the modems themselves are manufactured by different companies. Deutsche Telekom liststhe Speedport W 921 V, 723V Typ B, and 921 Fiber as affected. All of these modems are made by Taiwanese company Acadyan, which does not appear to be connected to Zyxel, the maker of the vulnerable Eir modem. [3] Comsecuris ran tests on one of the modems and found it not vulnerable, but they did point out that the modem will become slow and hang even under moderate load, so it is possible that the connections Mirai sent to the modem caused it to hang, not the exploit itself. [4]
Deutsche Telekom rolled out a firmware update to fix the vulnerability exploited by the attack. There has been no official statement from Deutsche Telekom confirming that the TR-069 attack was used to crash the modem. However, Deutsche Telekom did state that an coding error" />
The command executed will download additional malware from tr069.pw and execute it. We found a number of different URLs being used. The file name varies from 1 through 7, but 1 and 2 are the most common once seen. There is also an x.sh script, but it usually doesnt exist on the web server.
Here are some of the URLs seen in our honeypots, as well as URLs observed by our readers:
http://5.8.65.5/1
http://5.8.65.5/2
http://l.ocalhost.host/1
http://l.ocalhost.host/2
http://l.ocalhost.host/3
http://l.ocalhost.host/x.sh
http://p.ocalhost.host/x.sh
http://timeserver.host/1
http://ntp.timerserver.host/1
http://tr069.pw/1
http://tr069.pw/2
http://srrys.pw/2 (resolves to5.188.232.152 right now. the other host names appear dead right now)
The different binaries (1-7) are essentially the same code, but compiled for different architectures. This may indicate that the same exploit is attempted against a wide range of vulnerable devices:
1: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
2: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
3: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
5: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
6: ELF 32-bit MSB executable, SPARC version 1 (SYSV), statically linked, stripped
7: ELF 32-bit MSB executable, Motorola 68020 - invalid byte order, version 1 (SYSV), statically linked, stripped
Hashes observed (they vary based on the URL used to spread the code):
01fb38152c7f86aca2c42e8e8ebc46a9abeeac0501b0800e8009ee6328d112fd 1b4d378a917b01bbb8a783bbd7a8cfe070c7dd6ac7b8aa5f205df6e7e24f0a85e 21fce697993690d41f75e0e6ed522df49d73a038f7e02733ec239c835579c40bf 3828984d1112f52f7f24bbc2b15d0f4cf2646cd03809e648f0d3121a1bdb83464 4c597d3b8f61a5b49049006aff5abfe30af06d8979aaaf65454ad2691ef03943b 5046659391b36a022a48e37bd80ce2c3bd120e3fe786c204128ba32aa8d03a182 65d4e46b3510679dc49ce295b7f448cd69e952d80ba1450f6800be074992b07cc 7
Based on a simple strings analysis, the code downloaded is the spreader looking for additional vulnerable systems. This code appears to be derived from the Mirai botnet. While earlier versions of Miraiused well know default or weak passwords, this version now added the TR-069NetNTPServerexploit to its repertoire. The command and control servers resolve to a 6.0.0.0/8 IP address at this point which does not appear to be operations. It is assumed that this is used to park the botnet.
Countermeasures
As a consumer, if you suspect that your modem is vulnerable or worse, exploited: Reboot your modem and check on firmware updates. For some ISPs, like Deutsche Telekom, firmware updates are avaialbe. But you will typically receive the firmware from your ISP, not the modems manufacturer. ISPs customize firmware, like for example by enabling TR-069, and a default manufacturer provided firmware may not work for you.
ISPs should (and typically will) restrict access to port 7547 and port 5555 if it is used for remote configuration. Modem should only accept connections from specific configuration servers. TR-069implementations had vulnerabilities in the past, and it is very likely that additional issues will be found in the future. Restricting access to the port is necessary to protect the modem from exploits against unpatchedvulnerabilities.
How Many Modems Are Vulnerable?
The number of devices listening on port 7547 is as larger as 40 Million according to counts performed with Shodan. But not all these modems may run vulnerable implementations, and some may only accept commends from specific servers. It is difficult to say which modems are vulnerable and which once are safe. My personal best guess is that this vulnerability may have added 1-2 Million new bots to the Mirai botnet. We do have about 600,000 source IPs scanning for this vulnerability in our database. But many of them may have been infected by Miraivia weak passwords. For a small number of sources that responded on Port 443, we connected and retrieved TLS certificates. The overwhelming portion of certificates where issues by Zyxel, indicating that it is infected Zyxel devices that are participating in the scanning.
Some tests done by Darren Martynshow that modems used by UK ISP TalkTalk, D-Link DSL 3780 modems, modems made byMitraStar, Digicom and Aztechare all vulnerable. He states that he found 48 different vulnerable devices [5]
The attack so far doesnt appear to be targeting a particular geographic area or a particular ISP.
Whats Next?
At this point, the newly infected systems are just used to scan for more victims. But it is probably just a matter of time until they are used for DDoS attacks.
Further Reading
https://badcyber.com/new-mirai-attack-vector-bot-exploits-a-recently-discovered-router-vulnerability/
https://twitter.com/info_dox
Samples: https://isc.sans.edu/diaryimages/miraitr069binaries.zip (password: infected)
[1]https://www.broadband-forum.org/technical/download/TR-069_Amendment-5.pdf
[2]https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/
[3]https://de.wikipedia.org/wiki/Speedport
[4]https://comsecuris.com/blog/posts/were_900k_deutsche_telekom_routers_compromised_by_mirai/
[5]https://twitter.com/info_dox