When security experts warned us that Mirai-infected connected devices would strike again, and 10-fold, they weren’t kidding. Almost 1 million internet users in Europe couldn’t get online this weekend following an organized cyberattack launched by 900,000 home routers exploited by Mirai malware, Deutsche Telekom confirmed.

The German internet provider announced that only some 5 percent out of its 20 million customer pool was directly affected by the botnet attack. Once they started fixing the problem, the percentage dropped to 2. The identity of the hackers is unknown for now, but ISC SANS reports most of the traffic comes from Brazil.

“The massive interference from connections of Deutsche Telekom, according to findings from the Federal Office for Security in Information Technology (BSI), follow a worldwide attack,” reads the abendblatt.de. “According to BSI, the attacks were also noticeable in the government-protected government network, but could be repelled with effective protection measures. “

The routers involved in the attack were made by Zykel and Speedport and had port 7547 open, according to SANS Internet Storm Center. They were used for TV and landline services. Attacks have increased against these ports, as they “appear to exploit a vulnerability in popular DSL routers.”

“The code appears to be derived from Mirai with the additional scan for the SOAP vulnerability. Currently, honeypots see about one request every 5-10 minutes for each target IP,” SANS Internet Storm Center found.

Deutsche Telekom has released a firmware update for the routers. As 41 million devices have been detected to have this port open, users with vulnerable routers are advised to run the update and, if possible, block the port.