Speedport W 921 Fiber

Participate: Learn much more about our honeypot network https://biologbiologischelandbouw.orghelandbouw.org/honeypot.html authorize Up for Free! Forgot Password?

What ist "TR-069"

TR-069 (or that earlier ausführung TR-064) zu sein a traditional published von the Broadband Forum. The Broadband forum is in industry organization defining standards used zu manage broadband networks. It focuses heavily ~ above DSL form modems and more recently had fiber optic connections. "TR" stands weil das "Technical Report". TR-069 zu sein considered the Broadband Forum's "Flagship Standard". <1> numerous ISPs and device manufacturers are members des the broadband forum.

Du schaust: Speedport w 921 fiber

TR-069 allows ISPs to manage modems remotely. Harbor 7547 has been assigned kommen sie this protocol. Some tools appear to use port 5555 instead. I haven't uncovered a standard specifying port 5555 zum this use, but it might be bei older version. Die standard suggests ns use des TLS 1.2but doesn't need it, and TLS would certainly not oase made a difference in this case. Authentication tun können happen via certificates, or

TR-069 messages room encoded using SOAP. This SOAP requests encompass a post that ist then parsed by the modem (CPE, "Consumer Premise Equipment). Die standard specifies a big range von required und optional features. Weil das example, the modem kann be rebooted, or reset zu factory condition. A TR-069 article can deshalb be used to get and set construction parameters. Some of these parameters und the detail of the säule model space defined an later technological reports. Weil das example, TR-098 defined the NTP server feature abused bei the exploit attempts we schutz seen.

A common (non exploit) request kommen sie set an NTP Server would look like: (click ~ above images for full size versions)

The response the modem would certainly return wollen be:

The Vulnerability & Exploit

On november 7th, 2016, "kenzo2017" posted a blog post showing how die TR-064 "NewNTPServer" feature kann sein be used kommen sie execute arbitrarily commands. The blog post mentioned only the D1000 modem used by Irish ISP Eir together vulnerable<2>. Together a proof of concept, ns blog post included a Metasploit module kommen sie execute commands, and to retrieve die modems WiFi password. This details modem ist a rebranded modem manufactured über Zyxel. Various other Eir modems (e.g. P-60HN-T1A_IPv6) were found kommen sie be delicate as well. There ist no mention des Eir being notified von this issue. I also can't uncover a CVE number weil das this vulnerability.

This isn't the first time TR-069 implementations to be found to be vulnerable. Over the belastung couple of years, a number of different concerns were dbiologischelandbouw.orgovered, many notably a "Misfortune Cookie" pest (CVE-2014-9222).

Deutsche Telekom Outage

On Sunday, november 27th, 2016, a huge number of deutsch Telekom customers report connectivity problems. These worries were later traced kommen sie attacks versus a specific type des modem. Deutsche Telekom offers the in brand geraten name "Speedport" for its modems, but die modems themselves are manufactured by different companies. Deutsche Telekom liststhe Speedport w 921 V, 723V Typ B, und 921 Fiber as affected. All von these modems are made by Taiwanese firm Acadyan, i beg your pardon does notfall appear to be connected to Zyxel, ns maker of the fragile Eir modem. <3> Comsecuris ran experiment on one des the modems and found it not vulnerable, but they did allude out that ns modem möchte become slow und "hang" also under moderate load, dafür it zu sein possible that the connections Mirai sent to die modem resulted in it zu hang, not the exploit itself. <4>

Deutsche Telekom rolled the end a firmware update zu fix the vulnerability exploited von the attack. There has been no official statement from deutsch Telekom confirming that die TR-069 attack was used to crash ns modem. However, deutsch Telekom did zustand that in "coding error" in the make use of caused the modems kommen sie crash instead des run the exploit code.

Increase in Scans zum Port 7547

Around the time the outage bei Germany, we did notification a considerable increase in the number von attacks against port 7547. Later, a comparable increase was noted top top %%port:5555%.

Honeypots confirmed that this scans room attempting to exploit ns TR-069 NewNTPServer vulnerability (line breaks and color added zum readability)


Mehr sehen: Geschenkidee: Amazon Gutschein Per Lastschrift, (Internet, Versand, Einkaufen)

The command executed wollen download added malware indigenous "tr069.pw" and execute it. We dbiologischelandbouw.orgovered a number of different URLs gift used. Die file name varies native 1 v 7, but 1 and 2 are die most usual once seen. There is also an "x.sh" script, but it usually doesn't exist on the web server.

Here room some des the URLs seen bei our honeypots, as well as URLs observed von our readers: (resolves to5.188.232.152 appropriate now. The other hold names appear dead right now)

The different binaries (1-7) are essentially ns same code, however compiled zum different architectures. This may indicate that die same exploit ist attempted against a wide range des vulnerable devices:

1: ELF 32-bit LSB executable, MIPS, MIPS-I ausführung 1 (SYSV), statically linked, stripped2: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped3: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped4: ELF 32-bit LSB executable, Renesas SH, ausführung 1 (SYSV), statically linked, stripped5: ELF 32-bit MSB executable, PowerPC or cbiologischelandbouw.orgo 4500, version 1 (SYSV), statically linked, stripped6: ELF 32-bit MSB executable, SPARC ausführung 1 (SYSV), statically linked, stripped7: ELF 32-bit MSB executable, Motorola 68020 - invalid byte order, version 1 (SYSV), statically linked, stripped

Hashes it was observed (they vary based on die URL used kommen sie spread ns code):

01fb38152c7f86aca2c42e8e8ebc46a9abeeac0501b0800e8009ee6328d112fd 1 b4d378a917b01bbb8a783bbd7a8cfe070c7dd6ac7b8aa5f205df6e7e24f0a85e 2 1fce697993690d41f75e0e6ed522df49d73a038f7e02733ec239c835579c40bf 3 828984d1112f52f7f24bbc2b15d0f4cf2646cd03809e648f0d3121a1bdb83464 4 c597d3b8f61a5b49049006aff5abfe30af06d8979aaaf65454ad2691ef03943b 5 046659391b36a022a48e37bd80ce2c3bd120e3fe786c204128ba32aa8d03a182 6 5d4e46b3510679dc49ce295b7f448cd69e952d80ba1450f6800be074992b07cc 7 Based ~ above a straightforward "strings" analysis, the code downloaded zu sein the spreader looking weil das additional delicate systems. This code appears zu be derived from die "Mirai" botnet. While earlier versions of Miraiused well know default or weak passwords, this version now added die TR-069NetNTPServerexploit to its repertoire. Die command and control servers resolve zu a IP address weist this point which does not appear zu be operations. It zu sein assumed that this is used kommen sie "park" the botnet.


As a consumer, if you suspect that your modem ist vulnerable or worse, exploited: Reboot your modem and check top top firmware updates. For some ISPs, like deutsche Telekom, firmware updates room avaialbe. Yet you will typically receive ns firmware from her ISP, not the modem's manufacturer. ISPs customize firmware, like weil das example über enabling TR-069, und a "default" manufacturer detailed firmware may notfall work weil das you.

ISPs have to (and frequently will) limit access kommen sie port 7547 and port 5555 if it zu sein used weil das remote configuration. Modem need to only accept relationships from particular configuration servers. TR-069implementations had vulnerabilities an the past, and it ist very likely that extr issues möchte be found an the future. Restricting access to the port zu sein necessary zu protect die modem indigenous exploits versus unpatchedvulnerabilities.

How countless Modems room Vulnerable?

The number of devices hear on port 7547 zu sein as larger as 40 Million according zu counts performed v Shodan. But notfall all these modems might run breakable implementations, and some may only accept commends from certain servers. It zu sein difficult to say i beg your pardon modems are vulnerable and which as soon as are safe. My mitarbeiter "best guess" is that this vulnerability may schutz added 1-2 Million new bots to die Mirai botnet. We do oase about 600,000 source IPs scanning for this vulnerability an our database. However many des them may schutz been infected by Miraivia weak passwords. Weil das a klein number of sources the responded on port 443, us connected und retrieved TLS certificates. Ns overwhelming portion von certificates where issues über Zyxel, indicating that it is infected Zyxel gadgets that room participating bei the scanning.

Some prüfung done von Darren Martynshow that modems used über UK ISP TalkTalk, D-Link DSL 3780 modems, modems make byMitraStar, Digicom und Aztechare all vulnerable. He claims that he uncovered 48 different vulnerable gadgets <5>

The attack so far doesn't appear to be targeting a particular geographic area or a specific ISP.

Mehr sehen: Was Ist Das Parlament In Deutschland Stock Photos, Images & Photography

What's Next?

At this point, the newly infected systems are just used kommen sie scan zum more victims. Yet it zu sein probably just a matter of time until they are used zum DDoS attacks.

Further Reading


Samples: https://biologbiologischelandbouw.orghelandbouw.org/diaryimages/miraitr069binaries.zip (password: infected)