Clavister Blog Staff

Security lessons from the Deutsche Telekom cyberattack

In Blog post by Clavister Blog Staff

Hundreds of thousands of Deutsche Telekom customers in Germany found themselves unable to access the internet recently, thanks to a massive cyberattack that attempted to infect around a million routers.

The attackers were using Mirai malware, which attempts to hijack vulnerabilities in connected devices like routers, harnessing them to join the enormous global Mirai botnet. Then, as part of the botnet, those machines are used to launch attacks on other organizations, whether Distributed Denial of Service (DDoS) attacks to force them offline, flooding them with spam, or attempting to inject additional sophisticated malware and social engineering attacks. The bigger the botnet grows, the more damaging those attacks become. No less a figure than Elon Musk has suggested that, with the help of artificial intelligence, a massive botnet attack could cripple the entire global internet infrastructure.

Fortunately, this particular attack seems to have failed, with a senior Deutsche Telekom executive explaining that the routers were not successfully recruited into the Mirai botnet.  Yet the wider warning is clear.  Cybercriminals are harnessing the ever-growing world of connected devices to build hugely powerful attack forces. The German Office for Information Security has made a publicly statement to this effect, saying that the Deutsche Telekom attack was part of a concerted global campaign by criminals to hijack connected devices for their own malicious ends.

If the Deutsche Telekom attack had succeeded, and had hijacked the routers without forcing them offline, cutting consumers’ internet access, they might never have known that their gateway to the Internet was now part of a global criminal network. And as those consumers bring more and more smart, connected devices into their homes, there is an ever-richer field of targets for the criminals to choose from.

Looking at the other side of the picture – the businesses, organizations and even governments that are likeliest to be the target of massive botnet attacks – and it is clear that they need to take stronger, smarter steps to secure their networks against the risk of an attack powered by thousands or even millions of connected devices. But how?

Luckily, relatively simple steps can have a big impact. All organizations should, for example, ensure that their networks are carefully segmented and incorporate basic load balancing techniques simply as principles of good network architecture, which can significantly reduce the impact of DDoS attacks too.  Packet scrubbing services too are another useful way of reducing traffic volumes and improving DDoS readiness.

In terms of more specific proactive DDoS readiness in the ever-expanding Internet of Things (IoT), savvy organizations should consider GeoIP blocking. This enables organizations to automatically block all traffic originating from particular IP addresses, where they are located in geographical regions from which that organization has no need to accept traffic, or because they are known compromised machines. Once a malicious hacker has recruited a device to join a botnet like the Mirai botnet, that device is very likely, further down the line, to become benign again, so it can be blocked without risk.

GeoIP blocking is also a useful technique once a DDoS attack has actually started, because it enables organizations to identify where precisely on the internet that attack is originating. Then, the business can block traffic from those specific IP addresses or regions until the attack is over. It can also form a proactive strategy for responding to the attack, whether in its own security gateways or in partnership with its ISP.

This powerful risk mitigation via a relatively simple principle and technology is why, at Clavister, we have made GeoIP blocking an integral feature of all our next-generation firewalls. It’s a way of responding proactively to the latest techniques of cybercriminals, and recognizing that as more and more smart devices join the Internet of Things, botnets are only going to grow. The Deutsche Telekom botnet recruitment attempt failed, but other attacks will succeed. Botnets will continue to grow, and organizations of all shapes and sizes need to be prepared to defend against them.