Experts at the security firm Wordfence a few weeks ago reported that tens of thousands of flawed routers from dozens of ISPs worldwide were recruited in a botnet used to power several types of attacks against WordPress websites.
Hackers exploited the CVE-2014-9222 flaw, also known as ‘Misfortune Cookie,‘ to hack thousands of home routers and abuse them for WordPress attacks.
According to a new analysis published by WordFence, the volume of the attacks had started to drop significantly over the weekend, by Monday evening, the 30,000 or 40,000 attack attempts coming every hour from some ISPs had dropped to less than 5,000. and the frequency of the attacks continued to decrease.
According to the researchers, this frequency is continuing to decrease.
“Yesterday morning we noticed that there was a rapid drop-off in attacks from the ISPs we identified 3 weeks ago, that had targeted WordPress websites.” reads the analysis published by WordFence.
“This is what the change in activity looked like from the top 50 ISPs from where these attacks were originating during a 72 hour period ending yesterday (Monday) evening. Click the chart for a larger version.”
“As you can see, starting at around midnight on Sunday night (April 30th) Pacific time, the number of attacks we are seeing from ISPs where we found vulnerable routers have dropped from peaks of 40,000 in some cases to peaks of just above 5,000 attacks per hour. In many cases the attacks drop to much lower levels and continue to decrease.”
The root cause of this drop is still unclear, researchers at WordFence believe the situation will be more clear in the next week.
A possible cause is that the attackers ended their operation for some reason, otherwise law enforcement along security firms have tracked the botnet and took down the command and control (C&C) servers.
A few weeks ago, US authorities announced have dismantled the infamous Kelihos botnet. In the same period, the Interpol located and shut down nearly 9,000 Command and control servers located in Asia and hacked with a WordPress plug-in exploit.
This reduction of WordPress attacks originating from hundreds of ISPs worldwide is a good news. The experts were able to track the WordPress attacks originating from these ISPs and ban IP addresses involved in the botnet.
“The attacks originating from these ISPs were also resulting in their IP addresses being blacklisted by Wordfence and other services like SpamHaus. That resulted in the customers of those ISPs suffering because certain websites and services would block them. By reducing these attacks, this ensures those ISP customers have full internet access again.” concluded WordFence.
(Security Affairs – Misfortune Cookie, WordPress attacks)