WordPress sites are pretty much cookie cutting type sites, and now we have something interesting the MISFORTUNE COOKIE.
Dayboroinfo.com.au is a WordPress site, it is what we (HELP4BIS) are now qualified in, we take our site security seriously and when we got our usual news letters this morning, the one from Wordfence stood out.
The image above shows a snap shot of our average site visits, which is a about 20 odd thousand visits per month, sounds big but it dwarfs compared to some directory listing sites. Still it is a good number for a small site like ours. It got us wondering, “are we under attack by the misfortune cookie??????”.
The answer is NO! Not yet at Dayboro info.
Security researchers at Wordfence are reporting that thousands of hacked home routers are attacking WordPress sites. Wordfence firewall and malware scanner products used on all WordPress sites that are managed by us (HELP4BIS) and are installed on more than 2 million WordPress sites Wordfence estimates that 6.7% of all attacks on these sites are coming from hacked home routers. So that is a pretty steep number.
“In the past month alone we have seen over 57,000 unique home routers being used to attack WordPress sites,” Wordfence CEO Mark Maunder said. “Those home networks are now being explored by hackers who have full access to them via the hacked home router. They can access workstations, mobile devices, wifi cameras, wifi climate control and any other devices that use the home WiFi network.”
So that is quite serious right?
Yes, it sounds like that, but, before your put on your TinFoil Hats, pull all the cables out of the wall, cause panic by posting all sorts of weird stuff on Fixbook or run to your “doomsday shelter”. Lets take a step back.
The thing we talk about is known as, “misfortune cookie” and it has nothing to do with food. It hijacks a service that ISP’s (the telstra, optus, tpg and the like) could use to manage home routers should you as their customer need remote assistance. This cookie is specifically targeting those “remote assistance services” that listening on port number 7547. ISP’s should close general internet access to this port, but many have not.
Slow down tiger, no need to come out with the usual abusive comments some sing about, or even put their dirty boots in by design. Before you ring the alarm bell here in AU, we are reasonably save.
Fortunately companies like Telstra, who send you an NBN modem, do not have ports open by default (ports are teco speak for what you could call access or door). If a support person needs access to the modem then you manually need to give them access, if you do not “fiddle” with your telco provided modem then you should be pretty ok. (I think).
“It appears that attackers have exploited home routers on Algeria’s state-owned telecommunications network and are using the exploited routers to attack WordPress websites globally,” Maunder said. So that is not us right….. well…… This is not a NEW type of exploit, it has been around for a while, since 2014 I believe could be longer, it is only the last few days that we been prompted again about this tricky business. If you have a modem model like D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL, among others. You might be at risk, and the key word is MIGHT; the list is not exclusive.
Back to the wordpress sites, for example the dayboroinfo.com.au site and others.
Maunder said his team has mostly seen brute force attacks targeting both wp-login.php (the traditional login endpoint for WordPress) and also XMLRPC login. They have also seen a small percentage of complex attacks. Wordfence has detected a total of 67 million individual attacks from the routers the company identified in March.
While Wordfence researchers were creating their monthly attack report, they noticed that Algeria had jumped in rankings from position 60 to 24 in thier “Top Attacking Countries” list. Their review of attack data in Algeria revealed a ‘long tail’ of more than 10,000 attacking IPs originating from an Algerian state owned ISP. Cool right…. just for those who are a bit “lost” about IP’s and ISP’s, don’t worry about it to much. Simply said an ISP is a term that groups all the telstra’s, optusus and tpg’s. You could compare it with bread…. it does do all the same, just different sizes, flavors and colors.
Wordfence researchers scanned the devices to find out what services they are running and found that they are Zyxel routers usually used in a home internet setting. They found that many of them have a severe and well-known vulnerability in RomPager, the embedded web server from AllegroSoft.
“We then dug deeper and discovered that many ISPs around the world have this same issue and those routers are attacking WordPress sites via brute force attacks,” Maunder said.
“I think the reason Sucuri and other companies are not seeing this is that it is a weak ranking signal for malicious behaviour,” Maunder said. “As we point out in the report, each of these IPs is only doing between 50 and 1000 attacks per month on sites. They also only attack for a few hours each. These combined are a very weak ranking signal for malicious behaviour. That low frequency also makes the attacks more efficient because they are less likely to be blocked.”
This particular security issue is unusual in that the vulnerability is with the routers, not with WordPress itself. The attackers bulk hack thousands of devices, upload a WordPress attack script and a list of targets, and then they have thousands of routers under their control to attack WordPress sites.
This type of botnet is not terribly uncommon, as security researchers from from ESET recently uncovered a new malware called Sathurbot that uses torrent files as a method of distributing coordinated brute-force attacks on WordPress sites. The vulnerability in this instance is not in the software but rather in weak WordPress administrator accounts.
Protecting against brute force attacks starts with a strong administrator password. There are also many popular plugins, such as Shield Security, the Jetpack Protect module, iThemes Security, and Wordfence, which offer protection from brute force attacks.
If you want to make sure your router is not vulnerable to being recruited for these attacks, Wordfence has created a tool that makes it easy to check. It detects whether your home router has port 7547 open or if it’s running a vulnerable version of RomPager.
If you find that your router is vulnerable or port 7547 is open, Wordfence has published instructions for how to secure your device. Keep in mind that is specific for that port, if you want to scan all ports that might be open on your Router check Port Forwarding Tester