US ISP Goes Down As Two Malware Families Go To War Over Its Modems

An anonymous reader writes from a report via Bleeping Computer: Two malware families battling for turf are most likely the cause of an outage suffered by Californian ISP Sierra Tel at the beginning of the month, on April 10. The attack, which the company claimed was a "malicious hacking event," was the work of BrickerBot, an IoT malware family that bricks unsecured IoT and networking devices. "BrickerBot was active on the Sierra Tel network at the time their customers reported issues," Janit0r told Bleeping Computer in an email, "but their modems had also just been mass-infected with malware, so it's possible some of the network problems were caused by this concomitant activity." The crook, going by Janit0r, tried to pin some of the blame on Mirai, but all the clues point to BrickerBot, as Sierra Tel had to replace bricked modems altogether, or ask customers to bring in their modems at their offices to have them reset and reinstalled. Mirai brought down over 900,000 Deutsche Telekom modems last year, but that outage was fixed within hours with a firmware update. All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

No te metas en mi territorio

[turkeydance]

take that

Re:

[Big Hairy Ian]

So the ISP didn't do enough security patching and left their clients vulnerable to malware. BrickerBot just stopped their devices from being used to hack/ddos others. I'm not saying either is right but surely the ISP is guilty of not doing due diligence. Blaming BrickerBot alone is not the answer.

Re:

[Doke]

I agree with your definitions. However, the BrickerBot author is closer to a vigilante hero, than a criminal.

Re:

[scdeimos]

I wouldn't the author a hero of any kind. Sure, he's removing insecure devices from the internet but at great inconvenience to the end-users that depend on them and a lot of these people will be small business owners or home office types. It's the fault of Zyxel for producing such insecure crap in the first place but also the ISP for issuing them to their customers and then failing to secure their management interfaces from the internet at large.

Re:

[scdeimos]

Your argument is that paying customers were given a choice in the matter and so should vote with their feet. Normally I would agree with that assertion except that most ISPs don't offer a choice of modem to customers or even alert them that they have a choice. Often they'll grumble about incompatibility issues if a new customer says, "I already have a modem."

Modems are just another way for ISPs to milk money out of their customers. e.g.: ISPs bulk buy these modems from whomever they can source them for $10

Re:

[Zocalo]

My view too. Janit0r is absolutely a vigilante, but currently BrickerBot (and the less destructive Hajime) are only active "solutions" to the various IoT botnets such as Mirai and, from their posts, I believe (s)he would stand down as soon as more active steps were taken by the vendors, ISPs, and owners. Far from ideal but, until those in a position to do something about it in a less disruptive manner step up to the plate, if that's the only option for the rest of us caught in the firing line, then I'll l

Re:

[jbmartin6]

Vigilantes are criminals. Of course they are criminals. They have to be criminals.

Re:

[Joce640k]

it steals the owner's ability to use the device. i don't need to move your car to prevent you using it.

Not a bad thing when you in a neighborhood full of criminals who'll steal that car and use it for crime a couple of days after you bought it.

Re:

[Anonymous Coward]

The device is doing exactly what it was instructed to do. Maybe manufacturers should instruct their devices to do what the customer wants instead of what other people want.

No link to relevant article about sierratel

[williamyf]

but there is alink about previous incident in Deutsche Telekom?

What gives?

the level of the editors keeps getting lower or what?

Beadhull, get away from that Keyboard, you need a few cups of coffee! Now!

Re:

[scdeimos]

The link is in the article title, https://www.bleepingcomputer.c... [bleepingcomputer.com]

Yet another case for VPN tunnels

[Foxhoundz]

Hacked modem or not, assuming you actually use a respectable router (e.g. VyOS/Edgerouter), you can at least avoid main-in-the-middle attacks due to the fact that that packets will be encrypted by the time they ingress your modem on their way to the CMTS. That being said, it still won't stop the modem from becoming a zombie device itself. ISPs have a burden to resolve this as A) they and they alone lock down your device and manage it remotely via SNMP and B) their network is sending you the malicious unsolicited data from their network to yours.

Re:

[Anonymous Coward]

A VPN would not have saved anyone in this case. The Brickerbot went after the physical DSL/Cable modem/gateways.

If you've ever used one of these ISP issued things, there is typically a default username, and the password is derived from the device MAC address. It's also not a new thing, as you could also have your modem hacked just by visiting a rogue website that connects to 192.160.0.1 over websockets.

Re:

[Anonymous Coward]

A VPN would not have saved anyone in this case. The Brickerbot went after the physical DSL/Cable modem/gateways.

If you've ever used one of these ISP issued things, there is typically a default username, and the password is derived from the device MAC address. It's also not a new thing, as you could also have your modem hacked just by visiting a rogue website that connects to 192.160.0.1 over websockets.

Yes, but only if you're dumb enough to run every random script from every unverifiable web site. Seriously, this is a solved problem. A good adblocker (which often include options for filtering malicious sites) and/or NoScript can easily prevent this.

Have you modified your toaster yet?

[Overzeetop]

1) I was unaware that website currently require that you manually execute each script

2) Show me a commercial OS with a supplied browser that includes a good adblocker and a NoScript installed and properly configured by default.

Computers are basically appliances for 80% of the users on the internet now. I can mod my toaster and replace the plug with a grounded type, and only plug it into a GFCI outlet to reduce the risk of shock, but everybody else just plugs theirs in and makes toast. Until OS makers start putting actual, safe browsers on their products, instead of the two-bare-wires versions they currently include, the problem isn't actually with the users. It's with the negligent programmers.

Re:

[FrankHaynes]

The ISP manages their own devices from the WAN side, how else could they do it?

Another poster mentioned SNMP; I did not know that, I thought it was some non TCP/IP protocol unique to cable modems. But either way they bear at least some responsibility for deploying these things in a way that allows these attacks to succeed so widely.

Re: Yet another case for VPN tunnels

[Anonymous Coward]

Most ISPs I know of have two VLANs where one of them is only accessible by the ISP itself. (The router/modem has 2 IPs...)

Re: Yet another case for VPN tunnels

[Anonymous Coward]

How we do management is that we have more than 1pvc. A primary pvc os set up for subscriber internet but the second faces a locked down management network . The modem has acl in place to prevent access on the primary internet facing pvc and another to permit access from the management side.

Re:

[Zocalo]

Any remote management protocol can be exploited if the implementation is bad - regardless of whether it's console style via SSH, web via HTTPS, or a dedicated device management protocol like SNMP or TR-069. Firmware bugs in authentication and exploits aside, it shouldn't matter what protocol you use provided that it is properly authenticated with a non-default password, uses an encrypted protocol, and (most critically of all) access is limited to a specific management network. The trick is to assume thing

While true, that's insufficient and impractical

[raymorris]

True, it would be much more secure (in one way) if administration was only possible from the local, lan-side port. However, that's neither practical nor sufficient.

First, some people can't effectively and reliably admin their own modem. They need the cable ISP to manage it. The ISP is on the external side. So the ISP needs access from the outside. That *should* be secured reasonably well, though.

Second, iframe src=http://192.168.1.1/admin/changepasswd.php?newpass=yourfucked

Putting that into any web page wil

Linux Fails It

[Anonymous Coward]

This is why I only use Windows IOT Core based devices.

Re:

[Anonymous Coward]

Yeah, a Windows device would never just reboot to apply a new windows-upda"/(*)/)"(/ç"ç

NO CARRIER

Re:

[Doke]

Yes. This merits a class action against the ISP, for distributing defective routers.

Bricked or not?

[Nkwe]

From the summary

All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

If the bricked devices were fixed, then they really were not bricked.

free repetition of doubtful words

[Thud457]

that damn vigilante hacker bricked my router!

Re:

[Anonymous Coward]

Bricked means the device is unsalvagable (by the end user.) You can typically salvage such devices by returning them to the manufacturer and having them JTAG the device to replace the firmware. Most cable/DSL modems can be updated via TFTP, but only if the device hasn't been wrecked beyond recovery.

For example, any wireless router/modem can be destroyed permanently by setting the radios to maximum power and then connecting to each other so that they generate excessive amounts of EM radiation and eventually

Re:

[Jesus_666]

Some people distinguish betwen "soft-bricked" (the device stops working but can still be revived with user-available measures going beyond normal configuration*), "hard-bricked" (the device stops working and can only be revived with tools unavailable to an ordinary user**) and "broken" (the device is dead and can only be replaced***). In this case the routers appear to have been hard-bricked as they stopped working and had to be physically accessed by the vendor in order to restore functionality.

* E.g. us

Re:

[ArchieBunker]

I don't think you can ever permanently "brick" something. In this case they probably reflashed the firmware through the JTAG port or something similar. Bricked to the consumer but not the supplier.

Re:

[swillden]

I don't think you can ever permanently "brick" something. In this case they probably reflashed the firmware through the JTAG port or something similar. Bricked to the consumer but not the supplier.

You can permanently brick a device, even without hardware damage. Phones, for example, should have JTAG completely disabled for security (though many OEMs fail to do this), and depending on various bits of low-level config devices can get into a completely unflashable state. If the onboard firmware that accepts flashed images does something like sign the images with a key embedded in the SoC, and the ROM refuses to run unsigned firmware, and you can't flash normally any more, then even removing the flash me

Re:

[TheStickBoy]

Correct :)
Bricked: "You Keep Using That Word, I Do Not Think It Means What You Think It Means"

Since when are modems IoT devices?

[Anonymous Coward]

Modems are not "Things." They are necessary infrastructure.

Re:

[Anonymous Coward]

Walks like a duck, talks like a duck. Modems were the first "things" of the internet.

Re:

[Jamu]

Everything is a thing.

Companies deploy hardware without any upgrade plan

[jfdavis668]

Companies rent you hardware, and they give no thought to upgrades. Not only ISPs, but cable boxes and other such devices. As long as it works when installed, that's good enough. To be properly secure, you need to keep up with security updates.

Re:

[Doke]

What security upgrades? Most of these manufacturers never try to upgrade their IoT crap. They drop it, and move on.

Re:

[sims 2]

At work we have a att ADSL2+ modem with the software modified to disable the disconnection redirect and disable updates.

They really really want their modem to brag every time it loses connection which would be ok but they don't have no cache set so once the connection resets you have to close out of whatever your doing to get it to stop redirecting to the modem status page.

They issued a firmware update to the modem so you couldn't modify it but didn't add the no-cache option required to fix the problem that

Liability

[sit1963nz]

Perhaps it is time that manufacturers have to accept liability for faulty software.

There are many things that are considered bad practice (or outright stupidity) that make it into the consumer market, these should be punished.
The lack of timely firmware updates (or even any updates), should be punished.
Hardcoded accounts/passwords should be punished
Telnet/SSH access from the DSL side on by default should be punished
Wireless not requiring a password (a complex one !) before the wireless can be enabled should be punished

If manufacturers had to shell out $1000 per item for this sort of behaviour a lot would go to the wall, the others would clean up their act quickly.

And NO, manufacturers can not opt-out/contract out of this (if they try, make it $5000 an item).

Sure, no software is perfect, but thats not the problem, its that so much junk is put out there with no attempt to make it secure. The average home user can not be expected to do this themselves.

Re:

[Ryanrule]

Websites should be liable for malware ads.

Re:

[Doke]

This is problematic. Often, a website signs on to an ad network, by placing a link to a rotating ad image. Then the ad agency screws them over by placing inappropriate content on that link. The site owner never intended to put anything nasty on their site, but the ad agency was negligent. You can say this will flow through to the ad agency through complaints, but they tend to have lock-in contracts, and similar stupidity. In the end, the website owner loses.

This is why I prefer to contribute money v

Re:

[Ryanrule]

So kill the ad networks. Everyone wins.

Re:

[cdrudge]

Except any website that relies on the ad revenue to operate.

Re:

[sjames]

What would actually happen is websites would demand indemnity from the ad networks. Any ad network that wanted to actually push ads to anyone would be forced to accept that term. Then, with the financial burden being on them, they might actually screen the ads they serve.

Re:

[sit1963nz]

I have flashed my modem at least twice and the previous one probably 3 times.

My New Zealand ISP has no problems with people upgrading the firmware, especially those that know enough to do it.

Re:

[Doke]

This makes a lot of sense. They have complete control over how the device leaves their factory, and the ability to easily (and cheaply) offer upgrades. There's no good excuse for not supporting their gear. It does cost money to support existing sales, but that's part of being a responsible manufacturer. This translates directly to sales. Irresponsible ones get trashed in reviews.

Re:

[sit1963nz]

The average user does not read reviews. They use the modem/router that was supplied to them by their ISP.

By the time the unit is in the consumers hands its already too late, the effort needs to be made right at the concept stage right through to manufacturing.

Most ISPs regard the modem as throw away items, its cheaper for them to supply something new than to support something old. The manufacturers work on the basis that they want to sell something new and not support something old.

Neither the manufac

Re:

[eyenot]

*applause*

I want to go a step further: fuck firmware. Make the god damn controllers work properly in the first place. Test every way imaginable even if it adds months before the manufacturing process. If you fuck up, send your customers replacement ROMs. If they don't know how to desolder the old one and install the new one properly, fuck them, too because they're worthless pieces of shit. Take consumer high tech out of the fucking dark ages.

Re:

[lewistown]

I like this idea on the surface, but most attacks against these devices are not persistent. Using a rom will only slow the upgrade process when bugs are found and prevent wasteful bricking attacks. For botnets, it's worlds easier to just reinfect when the device comes back online.

Re:

[jbmartin6]

If we were capable of making things at this level of complexity work properly in the first place the world would be a very different place.

Re:

[mentil]

Won't happen in any broad sense. Imagine this scenario, which would quickly go into effect if any statutes were passed or frequent civil liability suits gave judgments against them:

Shell company sells a new modem, licensing the name of some well-known company (e.g. Belkin). They produce the modem for 2 years, releasing periodic updates for the firmware. Upon product discontinuation, the shell company folds, and the liability now rests on a nonexistent company. Every product has its own associated shell comp

Re:

[XparXnoiaX]

Yes [medium.com]. Sometimes the bug is hard to stop, but sometimes it's a clear case of negligence. The manufacturer just doesn't care.

Yeah

[Ryanrule]

Fuck this poster. Prob a malware crim

Re:

[eyenot]

I wouldn't care if they were. I was highly entertained and informed by this story. I might break karma just to mod down your lousy comment as flamebait.

Re:

[Ryanrule]

One of the actors is shutting down malware threatened devices. But this article calls them equal. You blind?

"At the beginning of the month...

[eyenot]

... on April 10."

Come for the nerd-news; stay hard for the WTFs.

Good...

[drew_92123]

Maybe all these folks that have been affected will start demanding more from manufacturers in regards to making sure these devices are secure and that security updates are provided on a regular and timely basis.

King Graham has fallen so far! =(

[An Ominous Cow Erred]

For those not in the know, this company is the heir to Sierra On-Line/Sierra Entertainment/Yosemite Entertainment in Oakhurst, CA. They created King's Quest, Space Quest, Police Quest, Leisure Suit Larry, et al. After the studio joined Codemasters they remained in Oakhurst until at some point it became an ISP. I'm not sure if any of the original folk are still there.

Relevant Wikipedia Entry [wikipedia.org]

(The Sierra name lives on as a trademark of Activision, but in name only. The hallowed halls of that great studio are now an ISP.)

Re:

[An Ominous Cow Erred]

To clarify, at one point Sierra tried to create their own online gaming network. This was *NOT* an internet-based network, but something you could connect to directly via dialup with a POTS modem. This later on became the ImagiNation network, which was purchased by AT&T.

https://blog.codinghorror.com/... [codinghorror.com]

As I understand it, the facilities originally created for this (since upgraded to support DSL service) were repurposed by the people involved into an ISP. All of this is based in the old Sierra headquarte

Comment on Bleeping...

[ACE209]

I like the first comment on that article:

woody188:
Wish Janit0r would change phase two so that it instead redirects all outbound requests to a page explaining what is wrong with the device and to contact their ISP. At least for modems/routers this would be much more preferable to just bricking a device and would empower the person to get help and maybe even salvage their device should an update be available. Vigilantes don't hurt the innocent! You listening Janit0r?

Nice idea. Ideally someone else should host that site.

You left your car unlocked...

[hillbluffer]

You left your car unlocked, so I've removed the engine to prevent anyone from stealing it!

concomitant

[aicrules]

concomitant concomitant concomitant

Brilliant

[hackel]

I just adore BrickerBot more and more each story I read about it. This is the best solution, and sadly the financial impact is the only way to make these companies take security seriously.

Embarrasing for Sierra Tel

[ilsaloving]

So this ISP was handing out shoddy insecure modems by the truckload, leaving all their customers susceptible to attack.

It's bad enough that this kinds of crappy device exist on the market in the first place, but for an ISP to peddle the things... that's inexcusable. IMO the ISP needed this firm punch in the nose.