This content is part of the Essential Guide: How the Mirai botnet changed IoT security and DDoS defense

Suspect in Mirai malware attack on Deutsche Telekom arrested

News roundup: U.K. authorities arrested a suspect in the Mirai malware attack on Deutsche Telekom. Plus, a judge denies a government request to collect fingerprints, and more.

The United Kingdom's National Crime Agency has arrested a suspect in connection with the November 2016 Mirai botnet attack on Deutsche Telekom.

The suspect, a 29-year-old British citizen, was arrested Feb. 22, at a London airport by the NCA, according to a public statement from the German Federal Criminal Police Office (Bundeskriminalamt, or BKA). The BKA worked with the NCA, as well as Cypriot law enforcement agencies, Europol and Eurojust, to execute the arrest warrant for the unnamed suspect, who could face up to 10 years in prison for "computer abuse."

The suspect is tied to broadband outages for approximately 1 million customers of Deutsche Telekom, the largest telecom company in Germany, with over 20 million customers. The outages were caused by a version of the Mirai malware. According to BKA, the attack was an attempt to pull the affected routers into a botnet for more large-scale distributed denial-of-service attacks.

In a statement, Thomas Kremer, member of the board of management of Deutsche Telekom AG for data privacy, legal affairs and compliance, said the company is "looking into taking civil legal action against the alleged perpetrator."

Despite the BKA's statement that it will question the suspect on the charge of "completed computer abuse," Deutsche Telekom said none of its customers' routers were infected with the Mirai malware, but did previously push a patch for vulnerable routers affected by the attacks.

"Deutsche Telekom was not the principal target of the global attack at the end of November 2016. And the attack did not even succeed: The malware failed to infect routers of Deutsche Telekom customers. However, about four percent of Deutsche Telekom customers experienced problems with their routers because some models were unable to cope with the overload from mass requests and crashed."

The suspect's identity remains unknown, but an unverified Motherboard report said the suspect might be the hacker known as BestBuy.

BestBuy previously claimed responsibility for the attack on Deutsche Telekom, as well as claiming to be behind the GovRAT malware that stole data from U.S., and putting a botnet of 400,000 internet-of-things devices infected with Mirai up for rent.

Whether or not the suspect is the illusive BestBuy, this marks the first arrest associated with the Mirai malware outbreak.

In other news:

  • A judge in Illinois denied U.S. government investigators a search and seizure warrant to collect the fingerprints of every person at a particular location. The government wanted to force everyone to provide their fingerprints to unlock iOS devices as part of a child pornography investigation. Magistrate Judge M. David Weisman said despite the seriousness of the investigation, the request made by the government was problematic due to a lack of current technology language, a lack of specific names of suspects and conflicts with the Fourth and Fifth Amendments. "Essentially, the government seeks an order from this Court that would allow agents executing this warrant to force 'persons at the Subject Premises' to apply their thumbprints and fingerprints to any Apple electronic device recovered at the premises," according to Weisman's order. "The request is neither limited to a particular person nor a particular device. And, as noted below, the request is made without any specific facts as to who is involved in the criminal conduct linked to the subject premises, or specific facts as to what particular Apple-branded encrypted device is being employed (if any)." Privacy advocates are in support of Weisman's decision, as such a broad collection of biometric data could disrupt the privacy of those affected.
  • After canceling this month's Patch Tuesday release, Microsoft is now trying to play catch-up to fix Adobe Flash vulnerabilities in Windows and Windows Server iterations. In a critical security bulletin, Microsoft provided updates for Flash in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10 and Windows Server 2016. The critical Flash vulnerabilities were addressed on Patch Tuesday by Adobe and affect libraries in Internet Explorer 10 and 11, and Microsoft Edge, according to the bulletin. Microsoft offered several mitigation techniques, and it also suggested that users can just disable Flash as a workaround.
  • CompTIA came out with a new certification, the Cybersecurity Analyst, or CSA+. The certification tests the applicants' skills for using behavior analytics in cybersecurity. The certification will cover threat detection tools and data analysis. "Armed with this information, cybersecurity professionals can more precisely identify potential risks and vulnerabilities, so resources can be allocated where they're most needed," said Todd Thibodeaux, CompTIA's president and CEO, of the certification. CompTIA already offers several security certifications, including the Security+ and CASP.
  • Staffers at the U.S. Department of Homeland Security were unable to log into their computer systems on Tuesday. The issue reportedly affected four facilities in the U.S. Citizenship and Immigration Services department. The problem was related to domain controllers that couldn't validate personal identification verification cards that the employees use to access the DHS systems, according to a Reuters report. The domain controller credentials were said to have expired on Monday, which was a holiday. "We are working to track all device certificate issuance and expirations to ensure future lapses of service do not occur," a DHS official said in a statement.

Next Steps

Read about the 2,000 TalkTalk routers hijacked by a Mirai botnet variant

Find out why the FTC wants more secure routers from D-Link

Learn about the modified Mirai malware botnet targeting 5 million routers

Dig Deeper on Network security