Aethra Botnet Attacks WordPress Sites

Exec summary: There is currently a botnet that has been identified that is targeting WordPress websites with a password guessing attack. If you have Wordfence installed with our default settings, you are already protected against this attack. The botnet is powered by modem/router devices. ISP’s are gradually patching the devices but many are left vulnerable or infected as some ISP’s respond slowly to this issue.

Full article:

In February of this year a security researcher at Voidsec noticed brute force attacks on his personal WordPress site and he noticed a pattern in the IP addresses attacking his site. They were mostly Italian internet service providers. They were:

  • Fastweb
  • Albacom, now BT-Italia
  • Clouditalia
  • Qcom
  • WIND
  • BSI Assurance UK

What he discovered is that the IP’s attacking his site were all devices. They were all Aethra modem/routers to be exact. By doing some further sleuthing he discovered that all the Aethra devices involved in the attack were using default login credentials (blank/blank).

The modems had obviously been hacked and the attacker had gained access through the default login. They had then installed malware on the modems that launched a brute force password guessing attack on WordPress sites.

The Aethra devices in question suffer from various XSS vulnerabilities, a CSRF vulnerability and a HTML5 cross-origin resource sharing issue.

The researcher then used Shodan, a search engine for devices on the Net, to find out how many vulnerable Aethra devices are on the Net and found around 8,000 vulnerable devices. They likely used a search on Shodan similar to this one.

They estimate that the amount of bandwidth the combined vulnerable devices have access to is between 1.7 and 17 Gigabits per second. This could be used for a massive distributed denial of service attack.

Voidsec tried to contact all ISP’s without much luck. Fastweb was responsive after a time and they have fully patched all affected routers. BT-Italia has been unresponsive and remains vulnerable.

While this research was happening, Krebs published a post about Lizard Squad, a hacking group, and a new DDoS tool that they were trying out to knock websites (and anyone else) offline. It seems that Lizard Squad may have been using the Aethra vulnerability to power their DDoS botnet.

The timeline was as follows:

  • Feb 13: Voidsec discovers the botnet. They contacted BT-Italy at this time.
  • Feb 25: Tries again to contact BT Italy using various methods with no luck.
  • December 11: FastWeb is told about the vulnerability and they agree on a disclosure schedule.
  • December 22: Disclosure and FastWeb’s routers are fixed.

Here’s the full post on voidsec.com. Voidsec is an Italian company so the post is also available in Italian.

We will continue to monitor activity from this botnet at Wordfence and will share any interesting data we uncover.

There are still many unpatched Aethra router/modems out there and they are still being used to launch attacks. Hopefully with the press coverage around this issue, the unresponsive ISPs involved will patch their customer devices and stop the attacks they’re launching on WordPress websites and other targets.

 

Did you enjoy this post? Share it!

Comments

16 Comments
  • Interesting. These ISPs put their customers in jeopardy...need to learn to listen first hand. Sorry.

    • I saw on forums as rental service ADSL box hacked , I think it is not the end of our surprises ...

  • So,
    Does Wordfence stop any such attack?
    Thanks
    DD

    • Yes as we said in the post: if you use Wordfence you are already protected.

  • The defaults I get flooded with are admin and *domain name*.*TLD* and *domain name*
    My view is bit harsh, but seriously these are not things anyone should be using as user names in the first place. Not to say they deserve to be compromised, just that it seems like an absence of self-preservation.

  • Due to being on the receiving end of this and having a useless host who would do nothing to prevent it, I moved to my own VPS and instituted the opposite of country blocking - I only allow same language countries to access the server (UK, US, Australia, NZ and Canada)

    Add in CloudFlare.

    Add in Mailgun so I have no mailserver to get hacked.

    No FTP, SSH certificate access only.

    Auto update of Wordpress is taking some effort to sort as it does not support OpenSSH certificates.

    Very happy so far.

  • RE Wordfence - it stopped my 6000+ a day brute force attacks so I am very pleased. Only issue was shared host killed my site because of 'traffic', so that was an issue.

  • During the last couple of days I noticed a lot of login-attempts, of which the majority came from Ukrainian sources... could this be connected ?

    Wordfence does detect them - good job ! - and I subsequently block all IP adressess involved permanently.

  • I love Wordfence, Have it on all the sites I host but it can only go so far so I also use fail2ban to stop the offending IP Address at the servers firewall. I can recommend fail2ban for anyone who wants to block the hackers before they reach the website.

  • I still remember the Albacom- BT Italia brute force attack. A solid nightmare until I read the thread at Wordfence Support and realized that my website alone was not under attack. That bot or bots was quite clever changing user names and the works.

    Thank God for Wordfence!

  • I am really missing on many things which may get me in trouble if not sooner than later... I must revert back to WordFence!

    Thanks for sharing this unfortunate news ... Hope people using that router get immediate help from their ISPs.

    ~ Adeel

  • Wordfence, we believe you'll protect our wp sites!

  • Dealing with some companies can be stressful. We are glad there are great guys like you to alert us of these vulnerabilities.

  • Lat week on my site has attack from Lithuania country ip. I just block country.

  • Thanks for the update on this one. What these hackers fail to realise is that they are effectively putting people out of business. We had a client almost go under due to an attack like this.

    It might be a bit of fun to them but to hard working SME's it's the difference between keeping a roof over their heads or not.

    Thanks Wordfence for keeping us safe!

  • Someone should publish a list of the network IPs owned by the unresponsive ISPs. I, for one, would be glad to block all of them at the server level. When their customers start complaining about not being able to get to some websites, maybe they will wake up and take responsibility.