While creating the Wordfence monthly attack report, the team at Wordfence noticed that Algeria had moved from position 60 in our “Top Attacking Countries” list to position 24. That was a big jump and we were curious why Algeria had climbed the attack rankings so rapidly.
What they discovered on closer examination is that over 10,000 IP addresses in Algeria were attacking WordPress websites in March. Most IPs were only launching between 50 and 1000 attacks during the entire month.
The following chart is a histogram. It groups IP addresses by the number of times they attacked. As you can see by the spike on the left, the most common number of attacks was around 100 to 200 for an IP address. Few of the attacking IPs generated more than 2,000 attacks during the entire month of March, 2017.
They dug deeper and extracted the list of Algerian attack IPs. They included the time of first attack logged and the time of last attack logged. The majority of the IPs spent just a few hours attacking and then stopped for the rest of the month.
These IPs switch on, perform a few attacks and then switch off and aren’t heard from again for a month. What the people at Wordfence found is a botnet that is distributed across thousands of IPs. Each IP is only performing a few attacks, those attacks are spread across many websites and the attacks only last a few minutes or hours.
The attacker controlling this botnet is using several evasive techniques. They are spreading their attacks across a very large number of IP addresses. They are using low frequency attacks to avoid being blocked. They are also spreading their attacks across a large number of WordPress sites.
These evasive techniques indicate a higher level of sophistication than they’ve seen from, for example, “PP Sks-Lugan” which they’ve written about in the past where a single IP generates millions of attacks.
Hacked Home Routers Hacking WordPress
When they looked at who owns each of the attacking IPs in Algeria, they found, over 97% of them are owned by Telecom Algeria. There are approximately 30 different ISPs in Algeria. There were some attacks from other networks, but nothing compared to the volume that originates from Telecom Algeria.
Telecom Algeria is the state owned telecommunications provider in Algeria. It is therefore the largest telecommunications provider in the country.
It appeared that attackers have exploited home routers on Algeria’s state owned telecommunications network and are using the exploited routers to attack WordPress websites globally.
6.7% of Attacks on WordPress Sites are from Home Routers with Port 7547 Open
In addition to the network surveys, Wordfence also surveyed 865,467 additional IP addresses which have engaged in brute force or complex attacks. Out of those, 57,971 have port 7547 open indicating that they are home routers from which attacks are originating.
That means that 6.7% of all attacks on WordPress sites that Wordfence protects, came from home routers that have port 7547 open.
Shodan, an internet survey search engine, currently shows that over 41 million devices on the Internet are listening on port 7547. The TR-069 protocol is widely used among ISPs world-wide.
The Security Risk to Home Users
If a home router is successfully exploited, an attacker can access your internal home network. They have penetrated any firewall function that the router provides and can also bypass router network address translation. This enables them to exploit internal targets like workstations, mobile devices using WiFi and IoT devices like home climate control systems and home cameras.
Wordfence is already seeing bulk exploitation of TR-069 which has turned home routers into a botnet attacking WordPress sites. It is quite feasible that home network exploitation is already underway as well.
Security Risk to the Internet at Large
OVH was hit by a 1 Terabyte DDoS attack in September last year, one of the largest in history. Approximately 152,000 IOT (Internet of Things) devices that had been compromised generated the traffic in that attack.
In just the past month we have seen over 90,000 unique IP addresses at 28 ISPs that fit our compromised-router attack pattern. There is a very large number of compromised ISP routers out there performing attacks and acting in concert.
At this point it would not be a stretch to say that vulnerabilities in TR-069 may have created a very large botnet which could soon generate the largest DDoS attack the Internet has ever seen.
How ISPs can help
Exposing port 7547 to the public Internet gives attackers the opportunity to exploit vulnerabilities in the TR-069 protocol. ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547. The only traffic that should be allowed is traffic from their own Auto Configuration Servers or ACS servers to and from customer equipment.
There are already a large number of compromised routers out there. ISPs should immediately start monitoring traffic patterns on their own networks for malicious activity to identify compromised routers. They should also force-update their customers to firmware that fixes any vulnerabilities and removes malware.
Source: Read more on Wordfence’s website