Thousands of routers are used to hack WordPress based websites
Wordfence specialists found that vulnerable routers are used to brute-force WordPress based websites.
Experts noticed something strange last month when the amount of cyber-attacks in Algeria jumped suddenly. The country went from 60th to 24th place in Wordfence rating. A closer look at the problem shown that the Algerian WordPress websites were attacked from 10 000 different IP-addresses. And 95% of those addresses are own by a local Internet provider –
Telecom Algeria.
It turned out that hackers compromised a large amount of routers provided by Telecom Algeria to their clients. Specifically, researchers have found 1501 vulnerable routers ZyXEL ZyWALL 2 owned by the provider that were vulnerable to a TR-069 protocol attacks. More than 1 000 000 German and British providers suffered because of this bug when the devices were attacked by IoT-malware Mirai.
However, the Algerian provided was not the only one that suffered from that attack. Researchers found out that 27 other providers worldwide, including russian “Rostelecom” and “Megafon”, are in a similar situation.
Most of those routers are working with a vulnerable version of web server Allegro RomPager 4.07 UPnP|1.0. The thing is that RomPager versions older than 4.34 have a CVE-2014-9222 vulnerability also known as Misfortune Cookie. This bug was found back in 2014. Using this vulnerability hackers can compromise Huawei, Edimax, D-Link, TP-Link, ZTE, ZyXEL and other routers.
As a result, vulnerable routers become a powerful instrument in a hacker’s hands. During the investigation researchers recorded attacks from more than 90 000 IP-addresses owned by various providers. Specialists say things can get much worse. There are more than 41 000 000 of vulnerable devices worldwide, and TR-069 protocol is widely used by providers.
Wordfence developers provide a simple instrument that will check any router to determine if port 7547 is open on your router.