Last week the good folks at Wordfence noticed something very interesting while compiling their monthly attack report. Algeria had raced from 60th place in their “Top Attacking Countries” list, to 24th place. That is obviously a huge jump in a very short time. Upon closer review, they realized that more than 10,000 IP addresses originating in Algeria were attacking WordPress websites globally. Each IP address only generated a couple hundred “burst attacks” in the entire month.
“These IPs switch on, perform a few attacks and then switch off and aren’t heard from again for a month. What we have found is a botnet that is distributed across thousands of IPs. Each IP is only performing a few attacks, those attacks are spread across many websites and the attacks only last a few minutes or hours.
The attacker controlling this botnet is using several evasive techniques. They are spreading their attacks across a very large number of IP addresses. They are using low frequency attacks to avoid being blocked. They are also spreading their attacks across a large number of WordPress sites.”
Most of the attacks originated from Telecom Algeria, which is a state owned provider in Algeria. The routers being exploited and used in the botnet, are ZyXEL routers utilizing the Allegrom RomPager embeded web server. The “Misfortune Cookie by Checkpoint” exploit was discovered back in 2014. Port 7547 (the management port) and the TR-069 protocol are both used by the ZyXEL routers, and both have had fairly significant security vulnerabilities. 41 million devices on the internet are listening on port 7547 and the TR-069 protocol is used globally. In fact, as Wordfence mentions…
“6.7% of Attacks on WordPress Sites are from Home Routers with Port 7547 Open”
But what does this mean and how can it affect you? First, let me preface with the fact that this vulnerability is currently being exploited in Algeria and India. Regardless, the following remains true. If an attacker is able to exploit a vulnerability in your home router – they can access your home network and all of the devices on it. Think about that for a minute. How many devices do you currently have connected to your home network? Security cameras? Your home security system? A wireless baby monitor, doorbell cameras or intercom, perhaps? Network storage with family photos, financial documents, etc? Even if you have absolutely nothing that you care about, nothing of value to you (or anyone else)… your exploited router is still capable of causing damage to others as a member of a reasonably sophisticated botnet, being used to attack WordPress sites globally. Is your home router being used to attack WordPress sites?
How can you ensure your router isn’t effected? There are a number of ways to check which ports you have open, but in this case you can simply go to the Wordfence site HERE and click “Scan Me”. It will attempt to connect to your router on port 7547 and determine if you are vulnerable to the Misfortune Cookie vulnerability.
Further, they’ve put together a great list of “next steps” should you find your router to be vulnerable.
If you are vulnerable, we recommend that you:
Immediately reboot your home router. This may flush any malware from your home router.
- Upgrade your router firmware if you can to the newest version. Close port 7547 in your router config if you are able to. (Many routers don’t allow this)
- If you can’t upgrade your own firmware, immediately call your ISP and let them know you have a serious security vulnerability in your home router and you need help fixing it. You can point them to this blog post (the page you are on) and this CheckPoint website for more information. Let them know that your router has a vulnerability on port 7547 in “Allegro RomPager” that can allow an attacker to access your home network and launch attacks from your router on others.
- Run a virus scan on all your home workstations.
- Update all home workstations and devices to the newest versions of operating system and applications or apps.
- Update any firmware on home devices where needed.
If you are not vulnerable, but port 7547 is open on your router, we recommend that you:
- Reboot your home router immediately. You may suffer from other port 7547 vulnerabilities.
- Upgrade your router firmware if you can.
- Close port 7547 on your router if you can. (Many routers don’t allow this)
- Contact your ISP and let them know that port 7547 on your home router is accessible from the public internet. Let them know that port 7547 is used by your ISP to manage the router. It should not be publicly available. Suggest that they filter access to that port to prevent anyone on the public internet accessing it.
As a home user, you really need to be your own advocate. Become familiar with the components you’ve used and learn how to update your firmware, enable/disable features and configure ports. Follow well known security blogs (like Technobabble, Tripwire and Wordfence) and help educate others!