Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Thousands of Hacked Routers Used for WordPress Attacks

Tens of thousands of vulnerable home routers have been hacked and abused to launch attacks on WordPress websites, security firm Wordfence reported on Tuesday.

Tens of thousands of vulnerable home routers have been hacked and abused to launch attacks on WordPress websites, security firm Wordfence reported on Tuesday.

Last month, the company noticed that the number of attacks launched against customer websites from Algeria had increased significantly compared to the previous period. A closer analysis of the more than 10,000 attacking IP addresses revealed that most were associated with state-owned telecoms company Telecom Algeria.

Wordfence has determined that hackers exploited vulnerabilities in the routers provided by Telecom Algeria to customers, and then abused the hijacked devices to launch brute-force and other types of attacks on WordPress sites.

Researchers identified compromised routers from 27 other ISPs worldwide, including ones in Pakistan, India, the Philippines, Turkey, Egypt, Morocco, Malaysia, Brazil, Indonesia, Serbia, Saudi Arabia, Russia, Romania, Sri Lanka, Croatia and Italy.

The routers of more than a dozen of these ISPs are listening on port 7547, which is used by companies to manage their customers’ devices, and are running a vulnerable version of the AllegroSoft RomPager web server.

Versions prior to 4.34 of RomPager are affected by a critical vulnerability – tracked as CVE-2014-9222 and dubbed “Misfortune Cookie” – that can be exploited to hijack devices made by Huawei, Edimax, D-Link, TP-Link, ZTE, ZyXEL and other vendors. When they first disclosed the flaw back in December 2014, researchers warned that there had been at least 12 million vulnerable routers across most of the world’s countries.

According to Wordfence, 14 of the 28 ISPs provide routers vulnerable to Misfortune Cookie attacks. Researchers also pointed to another vulnerability, disclosed last year, that can be exploited to hijack home routers that use port 7547.

The company reported that, over the course of three days, 6.7 percent of all attacks aimed at protected WordPress websites came from home routers that have port 7547 open.

Advertisement. Scroll to continue reading.

In the past month, Wordfence has seen more than 90,000 unique IP addresses from the 28 ISPs that appear to be associated with compromised routers. Experts said most IP addresses generate less than 1,000 attacks over the course of up to 48 hours, after which they stop.

WordFence has made available a simple online tool that can be used to check if a router has port 7547 open.

Related: 150,000 IoT Devices Abused for Massive DDoS Attacks on OVH

Related: Linux Trojan Brute Forces Routers to Install Backdoors

Related: Brute Force Attacks on WordPress Websites Soar

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights