BBC News reports:
Thousands of TalkTalk and Post Office customers have had their internet access cut by an attack targeting certain types of internet routers.
A spokeswoman for the Post Office told the BBC that the problem began on Sunday and had affected about 100,000 of its customers.
Talk Talk also confirmed that some of its customers had been affected, and it was working on a fix.
Victims turned to Twitter (presumably they were accessing it via their phone) to express their annoyance.
This incident mirrors attacks on broadband routers used by internet users in Germany, which saw 900,000 Deutsche Telekom knocked offline, and Ireland.
The attacks, believed to be perpetrated by a new incarnation of the Mirai worm, are exploiting functionality which allows ISPs to remotely manage their customers’ broadband routers. I can fully understand why ISPs want that kind of ability to reduce the support burden, but surely it would be better if connections were only allowed from the ISP’s own managed network rather than any Tom, Dick or Harry based anywhere in the world?
Customers of Hull-based KCOM said it had also affected, with approximately 1000 users reportedly unable to access the internet:
“We have now identified that the root cause of the problem was a cyber attack that targets a vulnerability in certain broadband routers, causing them to crash and disconnect from the network. The only affected router we have supplied to customers is the ZyXel AMG1302-T10B.”
Vulnerable Post Office and TalkTalk routers include the Zyxel AMG1302 and D-Link DSL-3780, which if unpatched can be remotely hijacked by malicious attackers. Presently infected devices are just being used to scan the internet for more victims, but it’s surely only a matter of time before criminals use the botnet army they are creating to launch massive denial-of-service attacks.
TalkTalk is advising customers that if they reboot their routers this will wipe the malicious code from the infected devices:
We are aware some customers have lost connectivity to the internet and have a red light showing on the router. If you have been impacted by this issue please reboot your router by switching it off and on again which should resolve the problem.
Rebooting should download a new update to affected routers. That firmware patch is essential – because if it’s not installed your router is still vulnerable – and is likely to become infected again.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “TalkTalk and Post Office customers lose internet access as routers hijacked”
"AMG302" is a typo for AMG1302 there isn't it?
Thanks for letting me know Ted. Fixed!
As interestingly over reported as this is… has anyone actually carried analysis on both the "Mirai" botnet and the symptoms being presented? Funny that tech savvy engineers reported this countless times previously about the variety (inclusive of TR-069) holes in consumer routers. Odd that it's supposed to attack known credentials, yet there are a number of these routers that have had their credentials changed and still suffered repeated restarts, resets and then forced firmware having to be applied as a "patch". Has anyone noticed that said "fix" to close these holes actually has left several still wide open? I see little in facts, lots in assumptions and errors repeating themselves!
Could we be affected? We have the ZyXEL_37D4 router and it keeps disconnecting. Phoned our provider and they say everything is good their end.