- Jul 22, 2014
- 2,525
There's a group of hackers who are hijacking unsecured home routers and using these devices to launch coordinated brute-force attacks on the administration panel of WordPress sites.
The purpose of these attacks is for the hackers to guess the password for the admin account and take over the attacked site.
The routers play a crucial role in this scenario, as it allows hackers to spread their brute-forcing attack over thousands of different IP addresses, avoiding firewalls and their blacklists.
Routers hijacked via port 7547
WordPress security firm WordFence, who uncovered these attacks, says the group behind this campaign is leveraging security flaws [1, 2] in the TR-069 router management protocol to take over devices. These flaw can be exploited by sending malicious requests to a router's 7547 port.
Experts say the attackers are launching only a few password-guessing attempts from each router on purpose, to keep a low profile for their attacks.
The size of the botnet is unknown, but there could also be more than one botnet. WordFence says that 6.7% of all brute-force attacks on WordPress sites in March 2017 came from home routers with port 7547 left open on the Internet.
Attacks coming from the networks of 28 ISPs
The company has tracked down many of the biggest offenders to 28 ISPs around the world, 14 of which feature a massive amount of routers with their 7547 management port left open to external connections. A list of the offending ISPs is available here.
In many of these incidents, the attacks were tracked down to ZyXEL ZyWALL 2 routers. ZyXEL routers are well known for their TR-069 flaws.
At the end of last year, a hacker tried to hijack over one million routers from the networks of ISPs in Germany and the UK. Many of those routers were ZyXEL or rebranded ZyXEL routers. The hacker meant to add the routers to a Mirai botnet he was renting for DDoS attacks. UK police eventually apprehended a suspect in February.
ISPs could easily stop these attacks
.......
.......
The purpose of these attacks is for the hackers to guess the password for the admin account and take over the attacked site.
The routers play a crucial role in this scenario, as it allows hackers to spread their brute-forcing attack over thousands of different IP addresses, avoiding firewalls and their blacklists.
Routers hijacked via port 7547
WordPress security firm WordFence, who uncovered these attacks, says the group behind this campaign is leveraging security flaws [1, 2] in the TR-069 router management protocol to take over devices. These flaw can be exploited by sending malicious requests to a router's 7547 port.
Experts say the attackers are launching only a few password-guessing attempts from each router on purpose, to keep a low profile for their attacks.
The size of the botnet is unknown, but there could also be more than one botnet. WordFence says that 6.7% of all brute-force attacks on WordPress sites in March 2017 came from home routers with port 7547 left open on the Internet.
Attacks coming from the networks of 28 ISPs
The company has tracked down many of the biggest offenders to 28 ISPs around the world, 14 of which feature a massive amount of routers with their 7547 management port left open to external connections. A list of the offending ISPs is available here.
In many of these incidents, the attacks were tracked down to ZyXEL ZyWALL 2 routers. ZyXEL routers are well known for their TR-069 flaws.
At the end of last year, a hacker tried to hijack over one million routers from the networks of ISPs in Germany and the UK. Many of those routers were ZyXEL or rebranded ZyXEL routers. The hacker meant to add the routers to a Mirai botnet he was renting for DDoS attacks. UK police eventually apprehended a suspect in February.
ISPs could easily stop these attacks
.......
.......