Tens of thousands of compromised routers abused in WordPress attacks

Pierluigi Paganini April 13, 2017

Hackers exploited the CVE-2014-9222 flaw, also known as ‘Misfortune Cookie’, to hack thousands of home routers and abuse them for WordPress attacks.

According to the experts at the security firm Wordfence tens of thousands, of home routers have been hacked and used to power cyber attacks on WordPress websites.

The security firm observed a spike in the number of attacks originated from Algeria and that targeted customer websites. Further investigation revealed that the attacks were launched from more than 10,000 IP addresses, most of which were associated with state-owned telecoms company Telecom Algeria.

“Last week, while creating the Wordfence monthly attack report, we noticed that Algeria had moved from position 60 in our “Top Attacking Countries” list to position 24. That was a big jump and we were curious why Algeria had climbed the attack rankings so rapidly.” reads the analysis published by Wordfence.

“What we discovered on closer examination is that over 10,000 IP addresses in Algeria were attacking WordPress websites in March. Most IPs were only launching between 50 and 1000 attacks during the entire month.”

The hackers exploited vulnerabilities in the routers provided by Telecom Algeria to its customers, then compromised the devices to launch brute-force and other WordPress attacks.

Wordfence identified compromised routers from 27 ISPs worldwide involved in the WordPress attacks. The routers of more than a dozen of these ISPs are listening on port 7547 that is used by the ISPs for remote management purposes, the experts noticed that all the flawed devices are running a vulnerable version of the AllegroSoft RomPager web server.

All the RomPager versions prior to 4.34 are affected by a critical vulnerability tracked as CVE-2014-9222, also known as ‘Misfortune Cookie‘.

WordPress attacks

The flaw was reported in December 2014 by researchers at Check Point Software Technologies who discovered that more than 12 Million Home Routers were affected by the issue.

The vulnerability could be exploited by an attacker to run a man-in-the-middle attack on traffic going to and from home routers from every manufacturer.

Once an attacker compromise a router, it could target any other devices on a local network, such as a smart TV or a printer.

The flaw can be exploited to hijack a large number of devices made by Huawei, Edimax, D-Link, TP-Link, ZTE, ZyXEL and other vendors.

The routers provided by 14 of the 28 ISPs are vulnerable to Misfortune Cookie attacks.

According Wordfence, in just three days, 6.7 percent of all attacks aimed at protected WordPress websites came from home routers that have port 7547 open.

Last month, Wordfence observed more than 90,000 unique IP addresses from the 28 ISPs associated with compromised routers, most of them generate less than 1,000 attacks over the course of up to 48 hours, after which they stop.

“In just the past month we have seen over 90,000 unique IP addresses at 28 ISPs that fit our compromised-router attack pattern. We monitor these attacks across our customer websites which is an attack surface of over 2 million websites.” states Wordfence. “We only see a sample of the attacks that all websites globally experience. If you extrapolate the numbers, it indicates that there is a very large number of compromised ISP routers out there performing attacks and acting in concert.”

WordFence has published a free online tool that can be used to check if a router has port 7547 open.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Misfortune Cookie, WordPress attacks)

[adrotate banner=”13″]



you might also like

leave a comment