Over 100,000 Post Office and TalkTalk broadband customers have been taken offline after their routers were targeted by what appears to be a version of the infamous Mirai IoT malware.
A Post Office spokeswoman confirmed the news, which comes hot on the heels of a similar outage in Germany a few days ago affecting 900,000 Deutsche Telekom customers.
Among the router models affected in this latest blitz are the Zyxel AMG1302 used by the Post Office and KCom and TalkTalk’s D-Link DSL-3780, according to the BBC.
It’s thought the malware targets routers via an unsecured TCP port, although details are still vague on the MO this time around.
The open sourced Mirai famously caused an internet meltdown a few weeks ago when an IoT botnet compromised by the malware took out DNS provider Dyn, taking offline internet giants including Spotify, Reddit and Twitter.
It was also responsible for huge DDoS attacks on Krebs on Security and managed to take the entire nation of Liberia offline for a while.
Mirai works by scanning the web for IoT devices like routers which are only protected by factory default or hard-coded credentials, with the aim of recruiting them into a botnet which can be directed to launch DDoS attacks.
“We would like to reassure customers that no personal data or devices have been compromised. We have identified the source of the problem and implemented a resolution which is currently being rolled out to all customers,” a Post Office spokeswoman told the BBC.
"For those customers who are still having problems, we are advising them to reboot their router."
Meanwhile, a notice on the TalkTalk site claimed the router ‘connection issue’ had now been resolved:
“We are aware some customers have lost connectivity to the internet and have a red light showing on the router. If you have been impacted by this issue please reboot your router by switching it off and on again which should resolve the problem.”
Malwarebytes senior security researcher, Jean-Philippe Taggart, argued that router patching is a growing issue made more challenging by low user awareness, but added that things will only begin to change if an IoT compromise eventually results in loss of life.
"The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign,” he said.
“So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they’re experiencing a problem.”