Security Experts:

Thousands of Hacked Routers Used for WordPress Attacks

Tens of thousands of vulnerable home routers have been hacked and abused to launch attacks on WordPress websites, security firm Wordfence reported on Tuesday.

Last month, the company noticed that the number of attacks launched against customer websites from Algeria had increased significantly compared to the previous period. A closer analysis of the more than 10,000 attacking IP addresses revealed that most were associated with state-owned telecoms company Telecom Algeria.

Wordfence has determined that hackers exploited vulnerabilities in the routers provided by Telecom Algeria to customers, and then abused the hijacked devices to launch brute-force and other types of attacks on WordPress sites.

Researchers identified compromised routers from 27 other ISPs worldwide, including ones in Pakistan, India, the Philippines, Turkey, Egypt, Morocco, Malaysia, Brazil, Indonesia, Serbia, Saudi Arabia, Russia, Romania, Sri Lanka, Croatia and Italy.

The routers of more than a dozen of these ISPs are listening on port 7547, which is used by companies to manage their customers’ devices, and are running a vulnerable version of the AllegroSoft RomPager web server.

Versions prior to 4.34 of RomPager are affected by a critical vulnerability – tracked as CVE-2014-9222 and dubbed “Misfortune Cookie” – that can be exploited to hijack devices made by Huawei, Edimax, D-Link, TP-Link, ZTE, ZyXEL and other vendors. When they first disclosed the flaw back in December 2014, researchers warned that there had been at least 12 million vulnerable routers across most of the world’s countries.

According to Wordfence, 14 of the 28 ISPs provide routers vulnerable to Misfortune Cookie attacks. Researchers also pointed to another vulnerability, disclosed last year, that can be exploited to hijack home routers that use port 7547.

The company reported that, over the course of three days, 6.7 percent of all attacks aimed at protected WordPress websites came from home routers that have port 7547 open.

In the past month, Wordfence has seen more than 90,000 unique IP addresses from the 28 ISPs that appear to be associated with compromised routers. Experts said most IP addresses generate less than 1,000 attacks over the course of up to 48 hours, after which they stop.

WordFence has made available a simple online tool that can be used to check if a router has port 7547 open.

Related: 150,000 IoT Devices Abused for Massive DDoS Attacks on OVH

Related: Linux Trojan Brute Forces Routers to Install Backdoors

Related: Brute Force Attacks on WordPress Websites Soar

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.