Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Aethra Botnet Attacks WordPress Sites

This entry was posted in General Security, WordPress Security on December 23, 2015 by Mark Maunder   16 Replies

Exec summary: There is currently a botnet that has been identified that is targeting WordPress websites with a password guessing attack. If you have Wordfence installed with our default settings, you are already protected against this attack. The botnet is powered by modem/router devices. ISP’s are gradually patching the devices but many are left vulnerable or infected as some ISP’s respond slowly to this issue.

Full article:

In February of this year a security researcher at Voidsec noticed brute force attacks on his personal WordPress site and he noticed a pattern in the IP addresses attacking his site. They were mostly Italian internet service providers. They were:

  • Fastweb
  • Albacom, now BT-Italia
  • Clouditalia
  • Qcom
  • WIND
  • BSI Assurance UK

What he discovered is that the IP’s attacking his site were all devices. They were all Aethra modem/routers to be exact. By doing some further sleuthing he discovered that all the Aethra devices involved in the attack were using default login credentials (blank/blank).

The modems had obviously been hacked and the attacker had gained access through the default login. They had then installed malware on the modems that launched a brute force password guessing attack on WordPress sites.

The Aethra devices in question suffer from various XSS vulnerabilities, a CSRF vulnerability and a HTML5 cross-origin resource sharing issue.

The researcher then used Shodan, a search engine for devices on the Net, to find out how many vulnerable Aethra devices are on the Net and found around 8,000 vulnerable devices. They likely used a search on Shodan similar to this one.

They estimate that the amount of bandwidth the combined vulnerable devices have access to is between 1.7 and 17 Gigabits per second. This could be used for a massive distributed denial of service attack.

Voidsec tried to contact all ISP’s without much luck. Fastweb was responsive after a time and they have fully patched all affected routers. BT-Italia has been unresponsive and remains vulnerable.

While this research was happening, Krebs published a post about Lizard Squad, a hacking group, and a new DDoS tool that they were trying out to knock websites (and anyone else) offline. It seems that Lizard Squad may have been using the Aethra vulnerability to power their DDoS botnet.

The timeline was as follows:

  • Feb 13: Voidsec discovers the botnet. They contacted BT-Italy at this time.
  • Feb 25: Tries again to contact BT Italy using various methods with no luck.
  • December 11: FastWeb is told about the vulnerability and they agree on a disclosure schedule.
  • December 22: Disclosure and FastWeb’s routers are fixed.

Here’s the full post on voidsec.com. Voidsec is an Italian company so the post is also available in Italian.

We will continue to monitor activity from this botnet at Wordfence and will share any interesting data we uncover.

There are still many unpatched Aethra router/modems out there and they are still being used to launch attacks. Hopefully with the press coverage around this issue, the unresponsive ISPs involved will patch their customer devices and stop the attacks they’re launching on WordPress websites and other targets.


Did you enjoy this post? Share it!

16 Comments on "Aethra Botnet Attacks WordPress Sites"

Danstan December 23, 2015 at 2:04 pm

Interesting. These ISPs put their customers in jeopardy...need to learn to listen first hand. Sorry.

Jerome January 22, 2016 at 10:22 am

I saw on forums as rental service ADSL box hacked , I think it is not the end of our surprises ...

Doug December 23, 2015 at 2:09 pm

Does Wordfence stop any such attack?

mark December 23, 2015 at 2:15 pm

Yes as we said in the post: if you use Wordfence you are already protected.

mike December 23, 2015 at 2:27 pm

The defaults I get flooded with are admin and *domain name*.*TLD* and *domain name*
My view is bit harsh, but seriously these are not things anyone should be using as user names in the first place. Not to say they deserve to be compromised, just that it seems like an absence of self-preservation.

Graham December 23, 2015 at 2:35 pm

Due to being on the receiving end of this and having a useless host who would do nothing to prevent it, I moved to my own VPS and instituted the opposite of country blocking - I only allow same language countries to access the server (UK, US, Australia, NZ and Canada)

Add in CloudFlare.

Add in Mailgun so I have no mailserver to get hacked.

No FTP, SSH certificate access only.

Auto update of Wordpress is taking some effort to sort as it does not support OpenSSH certificates.

Very happy so far.

Graham December 23, 2015 at 2:38 pm

RE Wordfence - it stopped my 6000+ a day brute force attacks so I am very pleased. Only issue was shared host killed my site because of 'traffic', so that was an issue.

Robert December 23, 2015 at 3:36 pm

During the last couple of days I noticed a lot of login-attempts, of which the majority came from Ukrainian sources... could this be connected ?

Wordfence does detect them - good job ! - and I subsequently block all IP adressess involved permanently.

AllanIt December 23, 2015 at 7:42 pm

I love Wordfence, Have it on all the sites I host but it can only go so far so I also use fail2ban to stop the offending IP Address at the servers firewall. I can recommend fail2ban for anyone who wants to block the hackers before they reach the website.

Vatsala Shukla December 23, 2015 at 8:17 pm

I still remember the Albacom- BT Italia brute force attack. A solid nightmare until I read the thread at Wordfence Support and realized that my website alone was not under attack. That bot or bots was quite clever changing user names and the works.

Thank God for Wordfence!

Adeel Sami December 23, 2015 at 8:49 pm

I am really missing on many things which may get me in trouble if not sooner than later... I must revert back to WordFence!

Thanks for sharing this unfortunate news ... Hope people using that router get immediate help from their ISPs.

~ Adeel

Gamelot December 23, 2015 at 9:28 pm

Wordfence, we believe you'll protect our wp sites!

Rick December 23, 2015 at 10:28 pm

Dealing with some companies can be stressful. We are glad there are great guys like you to alert us of these vulnerabilities.

Edgars December 23, 2015 at 11:35 pm

Lat week on my site has attack from Lithuania country ip. I just block country.

Jonathan Guy December 24, 2015 at 2:37 am

Thanks for the update on this one. What these hackers fail to realise is that they are effectively putting people out of business. We had a client almost go under due to an attack like this.

It might be a bit of fun to them but to hard working SME's it's the difference between keeping a roof over their heads or not.

Thanks Wordfence for keeping us safe!

Scott Neader December 24, 2015 at 9:54 am

Someone should publish a list of the network IPs owned by the unresponsive ISPs. I, for one, would be glad to block all of them at the server level. When their customers start complaining about not being able to get to some websites, maybe they will wake up and take responsibility.

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates