Spark blames web outage on modem exploit

By Dylan Bushell-Embling
Tuesday, 09 September, 2014

New Zealand telecom operator Spark has blamed hackers exploiting vulnerabilities in consumer modems for a nationwide broadband network meltdown on Saturday.

Overseas cybercriminals had been using Spark’s network to relay DDoS attack traffic to websites in Eastern Europe, Spark said in a statement.

While the Spark network did not crash, the heavy traffic disrupted internet services for customers nationwide, leading to slowed or, in some cases, no connectivity.

Some security experts initially speculated that the attackers had been exploiting the interest over the naked images of celebrities allegedly stolen from Apple’s iCloud to coerce New Zealanders into downloading malware onto their machines, which were then incorporated into botnets to conduct the DDoS attack.

Spark’s statement reads that its investigation did determine that only a small number of customer connections had been generating the majority of the DDoS traffic, consistent with customers having malware on their devices.

But it adds that while Spark has not ruled out malware as a factor, “we have also identified that cybercriminals have been accessing vulnerable customer modems on our network”.

The compromised modems have open DNS resolver functionality, making it easy for cybercriminals to remotely bounce connection requests off them. This makes it appear as if the traffic originated from a New Zealand IP address.

Spark has disconnected the modems and is in the process of scanning its entire broadband customer base to identify more vulnerable devices, the company said. Affected users will be contacted and advised to upgrade.

Spark added that it has also taken steps at the network level to mitigate the potential impact of vulnerable modems, but declined to give details for security reasons.

“What remains clear is that good end-user security remains an important way to combat these attacks. With the proliferation of devices in households, that means both the security within your device and the security of your modem,” Spark said.

Addressing the question of why it appears that only Spark and not New Zealand’s other ISPs were affected, the company said it “can’t say what other networks experienced. However, cybercriminals often look for clusters of IP addresses to use in any particular DDoS attack. That makes it more likely that these IP addresses belong to the customers of a single ISP.”

Spark is New Zealand’s largest telecom operator. The company rebranded from Telecom New Zealand in August after announcing the name change in February.

Image courtesy of Clive Darra under CC