Security researchers at Wordfence are claiming that thousands of hacked home routers are attacking WordPress sites. Wordfence firewall and malware scanner products are being misused on more than 2 million WordPress sites and the company estimates that 6.7% of all attacks on these sites are coming from hacked home routers.
Wordfence CEO Mark Maunder says that in the past month itself they have seen over 57,000 distinctive home routers being used to attack WordPress sites. Those home networks are now being looked at by hackers who have full access to them via the hacked home router. They can access mobile devices, workstations, Wifi climate control, Wifi cameras and any other devices that use the home WiFi network.
Maunder also alleged that his team has frequently seen brute force attacks targeting both wp-login.php which is the traditional login endpoint for WordPress and also XMLRPC login. They have also registered a small percentage of multifarious attacks. Wordfence has detected a totality of 67 million individual attacks from the routers the company identified in March.
While Wordfence researchers were putting together their monthly attack report, they realised that Algeria had gone up in rankings from position 60 to 24 in their “Top Attacking Countries” list. Their assessment of attack data in Algeria revealed a ‘long tail’ of more than 10,000 attacking IPs originating from an Algerian state owned ISP.
A weakness known as “misfortune cookie” is being employed in these attacks. It assaults and takes over a service that ISP’s use to remotely manage home routers by listening on port number 7547. ISP’s are supposed to close general internet access to this port, but a lot of them have not.
Maunder further stated that in all likelihood the invaders have exploited home routers on Algeria’s state owned telecommunications network and are using the exploited routers to attack WordPress websites globally.
Wordfence researchers combed the devices to unearth what services they are operating and discovered that they are Zyxel routers usually used in a home internet setting. They also found that many of them have a severe and well-known vulnerability in RomPager, the embedded web server from AllegroSoft.
They plowed deeper and revealed that many ISPs around the world have this similar concern and those routers are attacking WordPress sites via brute force attacks says Maunder.
Maunder believes the reason Sucuri and other companies are not bearing in mind this is because it is a feeble ranking signal for malevolent actions. As he points out in the report, each of these IPs carry out between 50 and 1000 attacks per month on sites. They also attack no more than a few hours each. These collectively are a very weak ranking signal for malicious behavior. That low frequency also makes the attacks more effectual because they are less probable to be blocked.
This one security problem is atypical in that the vulnerability is with the routers, not with WordPress itself. The attackers bulk hack thousands of devices, upload a WordPress attack script and a list of targets, and then they have thousands of routers under their control to attack WordPress sites.
This form of botnet isn’t terribly exceptional, as security researchers from ESET of late discovered a new malware called Sathurbot that uses torrent files as a method of distributing coordinated brute-force attacks on WordPress sites. The vulnerability in this case in point is not in the software but rather in weak WordPress administrator accounts.
Shielding against brute force attacks begins with a well-holding administrator password. There are also many popular plugins, such as the Jetpack Protect module, Shield Security, iThemes Security and Wordfence, which offer fortification from brute force attacks.
If one wants to make certain their router is not vulnerable to being recruited for these attacks, Wordfence has fashioned a tool that makes it easy to check. It detects whether the home router has port 7547 open or if it is running a vulnerable version of RomPager. If one finds that their router is vulnerable or port 7547 is open, Wordfence has published instructions for ‘how to secure your device’.