Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Home Router Botnet Resumes Attacks

This entry was posted in Research, WordPress Security on June 15, 2017 by Dan Moen   18 Replies

Yesterday at 7pm UTC (noon PDT) we saw the volume of brute force attacks on the WordPress sites that we protect more than double from the average for the previous 24 hours. The number of attacking IPs more than tripled.

The chart below shows the count of attacks per hour from June 12th onward. You can see a very obvious spike followed by about a 10-hour pull-back, and then another surge almost back to the high we saw with the spike.

Brute Force Attack Spike June 2017

We dug into the IP addresses behind the attacks to try to figure out who or what is behind the abrupt surge.

Home Routers Again?

Back in April, we wrote about a home router botnet that was being used to attack WordPress websites. Many of those attacks were originating from IPs that had a specific port (7547) open and were running a vulnerable version of remote management software called Rompager. We published a list of 28 ISPs with suspicious attack patterns indicating compromised routers and built a tool that checks if your router is vulnerable. In early May we wrote about that same botnet shutting down.

In the table below we show the top 20 ISPs by number of IP addresses involved in the latest surge and actively attacking. We also show the average number of hourly attacks per IP. Please note the the average is likely understated, as we accumulated attacks during a four-hour window and did not account for IPs that started or stopped attacking in the middle of the time window.

Comparing that list to the ISPs with the most new attacking IPs yields interesting results. Of the top 20 ISPs involved in attack surge, all 20 of them were on our earlier list of 28. The IPs are also attacking at low volume, which is consistent with what we saw in April. We also spot checked many of the IPs, and did find port 7547 open on some of them.

While we cannot be 100% certain that the surge in attack volume can be attributed to the home router botnet we wrote about in April or the attacker that was behind it, the data very strongly suggests it is. We will continue to monitor the attacks and report on anything interesting we find here on the blog.

How Does This Impact You?

Most site owners should expect to see a significant increase in password-guessing attack volume, if they haven’t already. We have written at length about how to protect against brute force attacks, including the serendipitous Learning Center article that we posted yesterday, Introduction to Brute Force Attacks. In that article, we mention several steps you can immediately take on your websites to harden your defenses against brute force password-guessing attacks as much as possible, which will make your website really, really tough to break into. The harder it is to guess your username and password and break through your site’s defenses, the greater the likelihood that any would-be hacker will simply move on to a much easier target.

The Wordfence Premium IP Blacklist responded to the attacks beautifully, growing from 1,444 IPs before the attack to 5,592 three hours later. At the time of this writing there are 6,928 IPs on the list and it continues to grow. At the height of the previous botnet attack there were over 10,000 IPs on the blacklist.

For those of you who aren’t certain that your site security is up to the challenge, you might consider having our security services team audit your site security. It costs $149 and includes a one-year Wordfence Premium subscription.

Did you enjoy this post? Share it!


4.29 (35 votes) Your rating:

18 Comments on "Home Router Botnet Resumes Attacks"

Adam Fyfe June 15, 2017 at 10:14 am • Reply

Great work as always guys, we use your product heavily and so far (fingers crossed) we have been A OK.

Keep up the great work and thanks for making the internet safer!

Cheers

Adam

Theodor June 15, 2017 at 11:18 am • Reply

Great work, I noticed a increase in password guessing during the night when I woke up. But the attacks I got didn't seem to be from any of those IPs.

DaddyStork June 15, 2017 at 11:43 am • Reply

Yesterday: We published an article about brute force attacks
Today: We saw an increase in brute force attacks...

Do you think there is a correlation between these two? Or is this largely a coincidence of epic proportions? I've always wondered how (without ever wanting to say it, but now feeling partially obligated) what you [the royal variety] publish/say/do affects the behavior of others. If an FBI agent speaks on a specific bomb that was used and materials used to make it if terrorists (or wanna-be terrorists / thugs) buy those materials as a result or even try to make it, or a politician speaks about a particular issue if there's an increase in protests, or even if a web security company posts an article about brute force attacks, if that inspires more of the same behavior given the new information into the social environment.

Thus, I'm led to wonder if one begets the other; this being a prime example because you guys & gals would have data immediately ready to analyze. You could begrudgingly say, yes, statistically there could be a 10% relations with +/- 2% error (as a guess) between our article and this result.

Do you take these things into consideration?

I've seen Wordfence post more specific types of attacks in the past, knowing that the information on how that attack worked would be useless to those who may [stupidly & extremely ignorantly] try to use it, even back against you, but it's always been itching in the back of my mind if you're aware, or if you have even looked, to see if there's a relationship there?

The bigger picture is an interesting topic for the media and bigger issues, but this micro example is also interesting and I'm so very curious to learn your thoughts!

As always, thanks for the great work!

Greg June 16, 2017 at 1:15 am • Reply

The problem here is that most of the time in security and in security courses (can be web security, network, general IT etc) the way you are taught to defend and protect is by learning how the attack is carried out.

Essentially the preventions you are taught could be reversed and used to attack. Its the same with many of the testing / security tools and suites out there, their official statement will say its purely for education and security however these same tools are also used to attack.

Take Linux Kali for an example, ideally its a great tool to test your security and other such things, especially with its include of things like WP scan etc but on the other hand its a hackers wet dream too, it gives a potential attacker everything they require.

What you have here is a vicious circle of life.

Dan Moen June 15, 2017 at 12:28 pm • Reply

I think the odds that there is correlation between yesterday's blog post and the surge in attacks is near zero. Given the number of IPs that are involved in the attacks and that they appear to be compromised routers suggests a pretty sophisticated attacker. It is also very likely that they had control of their botnet well before we published our post, as it would be a pretty tall task to compromise thousands of routers and then launch a coordinated attack in the space of a couple hours.
Your deeper question is an interesting one. We feel strongly that teaching website owners about security and informing them about trends and the tactics we're seeing from attackers helps them defend their sites better. And while there could be some downsides, we think the benefits far outweigh them.

Talisa June 15, 2017 at 2:15 pm • Reply

Question, are the free users of Wordfence protected from this in any way?

Dan Moen June 15, 2017 at 4:42 pm • Reply

Hi Talisa, yes, the free version of Wordfence includes a number of tools for protecting against brute force attacks including locking out users after too many failed login attempts, locking out anyone who uses an invalid user name and preventing WordPress from giving hackers information about what usernames exist on your system.

Tess June 15, 2017 at 2:47 pm • Reply

Just saw 3,404 attacks from a Chinese IP in an hour and one password attempt from Canada. Love Wordfence - thanks Wordfence team!

Esa Rantanen June 15, 2017 at 11:35 pm • Reply

Good info, thank you. Could it be that, if not a home router, but a pirated versions of Windows could be a culprit of some level? The attacks I'm seeing come from very exotic locations, and it leads me to thinking that there must be Windows installed from unknown sources, like torrent P2P sharing sites. Being a Windows user in my past, I know every Windows user have their hard disks full of pirated software.

Dan Moen June 16, 2017 at 8:07 am • Reply

It's very possible that some of the attacking IPs are compromised windows machines. We were able to verify that some of the IPs were likely compromised routers, but have no data to base an assumption on for the rest of them.

Mike June 15, 2017 at 11:42 pm • Reply

Insightful article. We've had several attacks recently with WP websites, and I think there needs to be a re-structuring of file handling when it comes to wordpress. It's very vulnerable to these types of attacks.

Tim Owen June 16, 2017 at 5:06 am • Reply

Well done keeping up the fight on our behalf - I have seen a slight increase in ips trying to login but if you can, I recommend that you move the login from wp-login.php file to another file and get rid of the widget on the front page - in many months none of the attacks had been able even to access my login page and every attempt returns a page not found error - you can then use wordfence to block these IPs. - It means you have an extra level of security. There is a plugin that will do it all for you (except removing the widget from the front page - do that immediately or you new login becomes visible). It just means that anyone wanting to login needs to know to go to www.mywordpresssite.whatever/mynewlogin to get the login screen up - that seem to be the end of brute force attacks for me.

Dan Moen June 16, 2017 at 8:17 am • Reply

We don't recommend this approach, as the majority of attacks attempt to log in via XMLRPC and moving your login page can break things. Check out this post from January where we break down attacks and attackers by XMLRPC and wp-login: https://www.wordfence.com/blog/2017/01/xmlrpc-wp-login-brute-force/.

Sharon Jackson June 16, 2017 at 10:07 am • Reply

I not only use hard to guess usernames and passwords, but I also use a plugin called "Hide My Login." When you have this activated the wp-login.php page is "Not Found." You have to type in a word of your choice after your domain name i.e. http://yourdomain/minniemouse that will then take you to the log in page.

Does this help against brute force attacks or does it only make me feel better :)

Dan Moen June 16, 2017 at 10:49 am • Reply

See my earlier reply on the same subject. We don't recommend it because the majority of attacks target XMLRPC, not wp-login.php and it can cause issues. Additionally, most attackers try to log in using both methods. This post from January shows you the breakdown by XMLRPC and wp-login: https://www.wordfence.com/blog/2017/01/xmlrpc-wp-login-brute-force/. Using hard to guess usernames and strong passwords for admin users is the first and most important step in protecting against these attacks.

Sharon Jackson June 16, 2017 at 11:03 am • Reply

Thank you, Dan.

Andrew Sampson June 19, 2017 at 1:33 pm • Reply

Hi Dan
Over the weekend we have seen an enormous quantity of brute force attacks on one of our websites. All from China.
Looking at your stats above am curious that China wasn't mentioned.
Have you experienced the same?
Thanks

Andrew

Andie La-Rosa June 20, 2017 at 10:07 am • Reply

Hi Andrew,

That wasn't the case with the broader data results that we surveyed, no, but certainly something to keep an eye on with your own websites!

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.