Security researchers at Wordfence are reporting that thousands of hacked home routers are attacking WordPress sites. Wordfence firewall and malware scanner products are in use on more than 2 million WordPress sites and the company estimates that 6.7% of all attacks on these sites are coming from hacked home routers.
“In the past month alone we have seen over 57,000 unique home routers being used to attack WordPress sites,” Wordfence CEO Mark Maunder said. “Those home networks are now being explored by hackers who have full access to them via the hacked home router. They can access workstations, mobile devices, wifi cameras, wifi climate control and any other devices that use the home WiFi network.”
Maunder said his team has mostly seen brute force attacks targeting both wp-login.php (the traditional login endpoint for WordPress) and also XMLRPC login. They have also seen a small percentage of complex attacks. Wordfence has detected a total of 67 million individual attacks from the routers the company identified in March.
While Wordfence researchers were creating their monthly attack report, they noticed that Algeria had jumped in rankings from position 60 to 24 in thier “Top Attacking Countries” list. Their review of attack data in Algeria revealed a ‘long tail’ of more than 10,000 attacking IPs originating from an Algerian state owned ISP.
A vulnerability known as “misfortune cookie” is being used in these attacks. It hijacks a service that ISP’s use to remotely manage home routers by listening on port number 7547. ISP’s should close general internet access to this port, but many have not.
“It appears that attackers have exploited home routers on Algeria’s state owned telecommunications network and are using the exploited routers to attack WordPress websites globally,” Maunder said.
Wordfence researchers scanned the devices to find out what services they are running and found that they are Zyxel routers usually used in a home internet setting. They found that many of them have a severe and well-known vulnerability in RomPager, the embedded web server from AllegroSoft.
“We then dug deeper and discovered that many ISPs around the world have this same issue and those routers are attacking WordPress sites via brute force attacks,” Maunder said.
I spoke with Tony Perez, CEO of Sucuri to see if his team has detected anything similar. Sucuri also tracks WordPress brute force attempts, but Perez said current numbers are not remarkable when compared historically to mid-2016.
“I think the reason Sucuri and other companies are not seeing this is because it is a weak ranking signal for malicious behavior,” Maunder said. “As we point out in the report, each of these IPs is only doing between 50 and 1000 attacks per month on sites. They also only attack for a few hours each. These combined are a very weak ranking signal for malicious behavior. That low frequency also makes the attacks more effective because they are less likely to be blocked.”
This particular security issue is unusual in that the vulnerability is with the routers, not with WordPress itself. The attackers bulk hack thousands of devices, upload a WordPress attack script and a list of targets, and then they have thousands of routers under their control to attack WordPress sites.
This type of botnet isn’t terribly uncommon, as security researchers from from ESET recently uncovered a new malware called Sathurbot that uses torrent files as a method of distributing coordinated brute-force attacks on WordPress sites. The vulnerability in this instance is not in the software but rather in weak WordPress administrator accounts.
Protecting against brute force attacks starts with a strong administrator password. There are also many popular plugins, such as Shield Security, the Jetpack Protect module, iThemes Security, and Wordfence, which offer protection from brute force attacks.
If you want to make sure your router is not vulnerable to being recruited for these attacks, Wordfence has created a tool that makes it easy to check. It detects whether your home router has port 7547 open or if it’s running a vulnerable version of RomPager. If you find that your router is vulnerable or port 7547 is open, Wordfence has published instructions for how to secure your device.