Thousands of Finnish modems attacked - reboot removes the malware
29.11.2016 klo 18:34 - Updated 20.12.2016 klo 15:05
It is difficult for users to notice whether their device has been infected with the malware. The malware may slow down the device or crash it. An affected device probably uses the capacity of the subscription for denial-of-service (DoS) attacks, for instance, without the user being aware of this.
The user of the subscription is responsible for cleaning the terminal. If necessary, a telecom operator may restrict outbound traffic to block malware traffic. Users are advised to follow any directions by the telecom operators.
Remote management of home routers, which involves an open port, creates a vulnerability that can be abused to infect the device. After this, the device starts to infect other similar devices as part of the botnet. Botnets controlling hijacked devices are used to launch DoS attacks, for example. The remote management of devices uses generally TCP port 7547.
FICORA considers that in this case, the conditions for filtering malicious traffic provided by law are fulfilled and recommends telecom operators to filter traffic to port TCP/7547 to prevent the exploitation of the vulnerability. Several telecom operators have started to filter such traffic.
At this stage, the following ADSL modems manufactured by Zyxel are known to be vulnerable. The list will be updated as new vulnerable devices are confirmed:
- Zyxel AMG1302-T10B
- Zyxel AMG1302-T11C
- Zyxel AMG1312-T10B
- Zyxel AMG1202-T10B (End-of-life)
- Zyxel P-660HN-T1A (End-of-life)
- Zyxel P660HN-T1Av2 (End-of-life)
It is very likely that other devices are affected by the vulnerability, too. Zyxel has released updated firmware for affected devices. Please see Zyxel's support page for details.
Target group of the alert
Owners of home routers (e.g. ADSL modems and network devices)
Possible solutions and restrictive measures
Update the equipment as instructed by the manufacturer or telecom operator as soon as a software patch is released.
If there is no update available for the device, reboot the device to remove the malware. As the telecom operator filters the traffic, the device is protected against reinfection. Devices set in bridge mode may also be vulnerable under certain circumstances, so a reboot and a firmware upgrade is recommended for these devices too.
To address the problem, telecom operators have restricted access in their networks to port TCP 7547 which is used for remote management of the devices. The malware may be removed from the device by rebooting it and telecom operators filter the traffic to keep the device from getting infected again.
The filtering is a temporary measure and devices must be updated as soon as a software patch is issued.
If your operator publishes or sends any additional directions, make sure to follow them.
- SANS ISC InfoSec diary: Port 7547 SOAP Remote Code Execution Attack Against DSL Modems