Number of WordPress Attacks powered by compromised routers is rapidly dropping

Experts from security firm WordFence reported a rapid reduction of WordPress attacks originating from hundreds of ISPs worldwide.

Experts at the security firm Wordfence a few weeks ago reported that tens of thousands of flawed routers from dozens of ISPs worldwide were recruited in a botnet used to power several types of attacks against WordPress websites.

Hackers exploited the CVE-2014-9222 flaw, also known as ‘Misfortune Cookie,‘ to hack thousands of home routers and abuse them for WordPress attacks.

According to a new analysis published by WordFence, the volume of the attacks had started to drop significantly over the weekend, by Monday evening, the 30,000 or 40,000 attack attempts coming every hour from some ISPs had dropped to less than 5,000. and the frequency of the attacks continued to decrease.

According to the researchers, this frequency is continuing to decrease.

“Yesterday morning we noticed that there was a rapid drop-off in attacks from the ISPs we identified 3 weeks ago, that had targeted WordPress websites.” reads the analysis published by WordFence.

“This is what the change in activity looked like from the top 50 ISPs from where these attacks were originating during a 72 hour period ending yesterday (Monday) evening. Click the chart for a larger version.”

“As you can see, starting at around midnight on Sunday night (April 30th) Pacific time, the number of attacks we are seeing from ISPs where we found vulnerable routers have dropped from peaks of 40,000 in some cases to peaks of just above 5,000 attacks per hour. In many cases the attacks drop to much lower levels and continue to decrease.”

The root cause of this drop is still unclear, researchers at WordFence believe the situation will be more clear in the next week.

A possible cause is that the attackers ended their operation for some reason, otherwise law enforcement along security firms have tracked the botnet and took down the command and control (C&C) servers.

A few weeks ago, US authorities announced have dismantled the infamous Kelihos botnet. In the same period, the Interpol located and shut down nearly 9,000 Command and control servers located in Asia and hacked with a WordPress plug-in exploit.

This reduction of WordPress attacks originating from hundreds of ISPs worldwide is a good news. The experts were able to track the WordPress attacks originating from these ISPs and ban IP addresses involved in the botnet.

“The attacks originating from these ISPs were also resulting in their IP addresses being blacklisted by Wordfence and other services like SpamHaus. That resulted in the customers of those ISPs suffering because certain websites and services would block them. By reducing these attacks, this ensures those ISP customers have full internet access again.” concluded WordFence.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Misfortune Cookie, WordPress attacks)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.