Newly discovered router flaw being hammered by in-the-wild attacks

A new router exploit has started. Thought I would post this so members could be aware and check there equipment.

Looks like it's a mostly equipment supplied by ISPs in Europe.

Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.
...
People who want to lock down their routers and have the necessary technical skills should reboot them and immediately check to see if the devices are listening for incoming commands on port 7547. As mentioned above, most Mirai-infected devices will be locked down and will display few indications of compromise, although frequent reboots have been reported in a least some cases. Generally speaking, IoT devices are disinfected each time they're restarted. A good practice is to reboot them and immediately lock them down with a strong password, or, better yet, to disable remote administration.

Read more at this Link

Oftentimes, if these are I'm fact rented devices (not sure how it works in Europe), much of the firmware configuration options are locked down. If the ISP's are in fact keeping that port open for RA then the ISP's need to fix it.

a reply to: Tempter

In Europe and the United Kingdom we do not us that model(Renting routers)
The ISP's supply the routers free of charge or generally you are free to use your own.

This issue we saw not so long ago with routers with default username and password.
This allowed the lights on the router to be have as normal but once we remote into the
routers we found the LAN ports had been disabled amongst other evil deeds the miscreants
where able to perform.

Easily resolved but drove us mad for a good month or so having to sort peoples routers out remote.
Still get the odd router infected by that virus (Moose).

Now with this new one out in the wild my work load is bound to increase.
The amount of people that use default router logins or ISP's that send out routers with default logins!

The article speculated that patches would have to be uploaded. This might be complicated by malware on an affect device.