Malicious hackers are seizing control of poorly-protected home routers, and commanding them to launch attacks designed to brute force their way into WordPress websites. Security researchers at Wordfence first determined that something noteworthy was happening when they witnessed an unusual spike in attacks originating from Algeria against its customers' WordPress websites. Looking deeper into what was happening, the researchers discovered that the attacks were being launched from more than 10,000 IP addresses. 97% of the attacking IP addresses found in the country were owned by customers of the state-owned telecommunications provider, Telecom Algeria. That might be no surprise if Telecom Algeria was the only internet service provider in the country, but there are approximately 30 other ISPs operating in Algeria. The researchers determined that the attack was more sophisticated than normal, evading detection by only using each IP address for a short period of time:
These IPs switch on, perform a few attacks and then switch off and aren't heard from again for a month. What we have found is a botnet that is distributed across thousands of IPs. Each IP is only performing a few attacks, those attacks are spread across many websites and the attacks only last a few minutes or hours. The attacker controlling this botnet is using several evasive techniques. They are spreading their attacks across a very large number of IP addresses. They are using low frequency attacks to avoid being blocked. They are also spreading their attacks across a large number of WordPress sites.
Surveying the IP addresses, the researchers discovered that many were connected to a router manufactured by Zyzel, running Allegro RomPager 4.07, an embedded web server. And therein lies the problem.
Way back in 2014, Checkpoint alerted the world to a critical vulnerability in RomPager that they dubbed the "Misfortune Cookie" which could allow an attacker to remotely hijack a router and use it to attack home and business networks. At the time, Checkpoint said it had "detected approximately 12 million readily exploitable unique devices connected to the Internet present in 189 countries across the globe, making this one of the most widespread vulnerabilities revealed in recent years." What's more - the bug had been there for some time. The bug was first introduced into RomPager's code back in 2002. Yes, this bug has been around for 15 years. Ouch! It would be great to think that by now internet-connected devices had been updated by now against a critical vulnerability that has been known about for three years, and been in existence for so long, but clearly some routers have been left to fend for themselves. And that's why so many attacks have been seen against WordPress sites, originating from hijacked routers that have a vulnerable version of RomPager version 4.07 on port 7547. And it's not just a problem for Algerian computer users. Wordfence produced a list of 28 ISPs around the world who it says have been the launchpad for attacks which suggest compromised routers. And, if you do a search on Shodan, you'll find that over 41 million home routers world-wide have port 7547 open to the public internet. The folks at Wordfence have produced an online tool that can tell users if their router is vulnerable to attack or not. Clearly if routers were being patched properly with security fixes then this would help to eradicate this particular attack. But owners of vulnerable routers are either oblivious to the problem, don't know that they should close port 7547 to outside access, or are simply not able to disinfect and update their systems. Furthermore, maybe some of the affected ISPs have dropped the ball when it comes to properly defending their customers from such flaws too. Wordfence's research team has a message for those ISPs:
Exposing port 7547 to the public Internet gives attackers the opportunity to exploit vulnerabilities in the TR-069 protocol. ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547. The only traffic that should be allowed is traffic from their own Auto Configuration Servers or ACS servers to and from customer equipment. There are already a large number of compromised routers out there. ISPs should immediately start monitoring traffic patterns on their own networks for malicious activity to identify compromised routers. They should also force-update their customers to firmware that fixes any vulnerabilities and removes malware.
But what about the other side of the attack? How can owners of WordPress sites protect themselves from brute-force attacks that attempt to break into their admin consoles.
It's not as though there is a small pool of potential victims. WordPress is the software that powers around a quarter of all websites, making it a hot target for online criminals.
- Choose a strong, long, unique password for your WordPress admin account.
- Choose a hard-to-guess username for your WordPress site's administrator account.
- Consider enabling two-factor authentication to prevent unauthorised access to your WordPress admin account, even if your password is guessed or compromised.
For more tips on securing your WordPress website from attack, read this guide. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc
