Blog.Telekom

Alexia Sailer

1 Comment

Botnet attack gets stuck in honey trap -or- Why Deutsche Telekom is looking for zombies – and finding them

  • Share
    Two clicks for more data privacy: click here to activate the button and send your recommendation. Data will be transfered as soon as the activation occurs.
  • Print
  • Read out

Protection doesn't work if you only look at your own little world. For an outside perspective, Telekom Security is running an international network of digital traps. The Telekom Security experts now monitored a botnet attack via the so called honeypots.

20171209_Huawei_Botnetz-en

Cyber Defense Center

The days in which every company minded its own business and only worried about fending off direct attacks from cybercriminals are long past. Nowadays, companies that want to protect themselves against increasingly sophisticated attacks from the Internet share information about the attackers' latest methods with others and keep track of the cyber-situation far outside their own firewalls. 

Telekom Security, a subsidiary of Deutsche Telekom, has operated a worldwide network of sensors for many years now, to keep track of the situation outside its networks. These sensors, called "honeypots", intentionally simulate vulnerabilities to attract attacks. Telekom Security's experts analyze these digital traps to see which targets are currently being attacked worldwide, even outside of the company's own network, and develop countermeasures together with partners. The experts recently noticed that a certain router model from the manufacturer Huawei is currently being attacked and integrated in a botnet. Important: Deutsche Telekom does not use this router model, nor are there any indications that it is used at all by Internet users in Germany. But there are users worldwide.

The perfect haul

The criminals planned their attack well: on November 25, 2017, Deutsche Telekom's 200 or so digital honeypots detected the first minor discrepancies. A warmup for the main event, which kicked off at 4:02 a.m. CET on December 5: for nearly 48 hours, the attackers activated routers that were already infected and attempted to infect and integrate further routers into the "Satori" botnet. Telekom Security's honeypots recorded up to 200,000 data packages per hour, all trying to infect routers around the world. The attackers used graduated steps to hide their trail. The attacks are still active today, albeit at a low level. The BSI, Huawei, and Telekom Security continue to share information.
The attack has been traced to Russia, but this doesn't mean the attackers are actually located there.  Criminals have become quite adept at erasing their digital tracks, while simultaneously planting false evidence, to avoid being localized. From the original attack, a falsified command orders susceptible routers to download software code from a server in the Netherlands and then, in a second step, from Russia. Routers that are already infected are ordered to search for further vulnerable routers on their own. This dangerous pyramid system shows how important it is to keep your router secure in general. 

Botnet growing quickly

The security experts estimate that up to 100,000 routers worldwide have been captured by the Satori botnet alone in the areas that Telekom Security monitors through its honeypots. Other sources go as high as 200,000. These dry figures describe powerful cyberweapons, whose owners usually don't have the slightest idea how their routers or other connected equipment is being misused for attacks. 

Nor are routers the sole target for attack and misuse, even though they remain a prime attack vector for cybercriminals; connected security cameras, TV sets, and even refrigerators are also increasingly popular: always (or often) online, with high performance, and often poorly protected. All the same, owners of such devices do not have to become paralyzed with fear or surrender in resignation, because the solution is simple: 

update, update, update is the primary rule. When manufacturers make updates available, they are often eliminating vulnerabilities. Modern criminals often need just hours to figure out which vulnerabilities an update is supposed to eliminate – and then attack them directly. Those who weren't quick enough to install an update might be out of luck. 

Deutsche Telekom helps its customers here. The Telekom Security team notifies affected customers, for example, as soon as honeypot data indicates that their IP addresses have been used for attacks. The experts then work with the victims, step by step, to clean the malware from their devices, thus freeing them from the clutches of the botnets. 

FAQ