Exec summary: There is currently a botnet that has been identified that is targeting WordPress websites with a password guessing attack. If you have Wordfence installed with our default settings, you are already protected against this attack. The botnet is powered by modem/router devices. ISP’s are gradually patching the devices but many are left vulnerable or infected as some ISP’s respond slowly to this issue.
In February of this year a security researcher at Voidsec noticed brute force attacks on his personal WordPress site and he noticed a pattern in the IP addresses attacking his site. They were mostly Italian internet service providers. They were:
- Albacom, now BT-Italia
- BSI Assurance UK
What he discovered is that the IP’s attacking his site were all devices. They were all Aethra modem/routers to be exact. By doing some further sleuthing he discovered that all the Aethra devices involved in the attack were using default login credentials (blank/blank).
The modems had obviously been hacked and the attacker had gained access through the default login. They had then installed malware on the modems that launched a brute force password guessing attack on WordPress sites.
The Aethra devices in question suffer from various XSS vulnerabilities, a CSRF vulnerability and a HTML5 cross-origin resource sharing issue.
The researcher then used Shodan, a search engine for devices on the Net, to find out how many vulnerable Aethra devices are on the Net and found around 8,000 vulnerable devices. They likely used a search on Shodan similar to this one.
They estimate that the amount of bandwidth the combined vulnerable devices have access to is between 1.7 and 17 Gigabits per second. This could be used for a massive distributed denial of service attack.
Voidsec tried to contact all ISP’s without much luck. Fastweb was responsive after a time and they have fully patched all affected routers. BT-Italia has been unresponsive and remains vulnerable.
While this research was happening, Krebs published a post about Lizard Squad, a hacking group, and a new DDoS tool that they were trying out to knock websites (and anyone else) offline. It seems that Lizard Squad may have been using the Aethra vulnerability to power their DDoS botnet.
The timeline was as follows:
- Feb 13: Voidsec discovers the botnet. They contacted BT-Italy at this time.
- Feb 25: Tries again to contact BT Italy using various methods with no luck.
- December 11: FastWeb is told about the vulnerability and they agree on a disclosure schedule.
- December 22: Disclosure and FastWeb’s routers are fixed.
Here’s the full post on voidsec.com. Voidsec is an Italian company so the post is also available in Italian.
We will continue to monitor activity from this botnet at Wordfence and will share any interesting data we uncover.
There are still many unpatched Aethra router/modems out there and they are still being used to launch attacks. Hopefully with the press coverage around this issue, the unresponsive ISPs involved will patch their customer devices and stop the attacks they’re launching on WordPress websites and other targets.