The Dark Knight of malware’s purpose remains unknown Hajime – the “vigilante” IoT worm that blocks rival botnets – has built up a compromised network of 300,000 malware-compromised devices, according to new figures from Kaspersky Lab.…
Read More:
Mysterious Hajime botnet has pwned 300,000 IoT devices
Distributed Denial of Service Disasters The overall frequency of distributed denial of service (DDoS) attacks increased in 2016 thanks, in part, to Internet of Things botnets, according to information service provider Neustar. The company said it mitigated 40 percent more DDoS attacks from January through November, compared to the year earlier. Neustar warned that as botnet code assemblies are published, dangerous new DDoS developments will continue to emerge, such as persistent device enrollment, which enables botnet operators to maintain control of a device even after it’s rebooted. From colleges to entire U.S. regions, here are eight situations where vulnerable IoT devices brought down networks. DDoS Attack Affects U.S. College For 54 Hours A distributed denial of service attack on a college in February, recently made public by security firm Incapsula, affected that institution’s network for 54 hours straight. Incapsula recently revealed the attack, noting that the attackers seemed adept at launching application layer assaults on vulnerable IoT devices. “Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” according to an Incapsula spokesperson in a blog post. “Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers.” DDoS Attack Takes Down Netflix, Twitter An October DDoS attack – which was launched through IoT devices and blocked an array of websites – deepened the industry’s concerns over the security risk of the Internet of Things. The denial of service attack was launched through Internet of Things consumer devices, including webcams, routers and video recorders, to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites. The attack on Dyn, which connects users to websites such as Twitter and Netflix, came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data. DDoS Attack Through Vending Machines Hits University Verizon’s preview of its 2017 Data Breach Digest in February revealed that an unnamed university was hit by a DDoS attack launched through vending machines, lights, and 5,000 other IoT devices. According to Verizon, an incident commander noticed that “name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood.” While administrators were locked out, the university intercepted “the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update.” DDoS Attacks Attempted Against Campaign Websites of Hillary Clinton And Donald Trump According to security firm Flashpoint, hackers attempted four Mirai botnet DDoS attacks in November against the campaign websites of Hillary Clinton and Donald Trump. According to Flashpoint, the company observed a 30-second HTTP Layer 7 (application layer) attack against Trump’s website, while the next day, it saw attacks against both Trump and Clinton’s campaign sites. While attacks were attempted, neither website observed or reported outages. “Flashpoint assesses with moderate confidence that the Mirai botnet has been fractured into smaller, competing botnets due to the release of its source code, which has led to the proliferation of actors exploiting the botnet’s devices,” a spokesperson wrote on Flashpoint’s website. BBC Domain Downed By By DDoS Attack On New Year’s Eve 2016, the BBC’s website was hit by a DDoS attack that downed its entire domain – including on-demand television and radio player – for more than three hours. While BBC originally said that it was undergoing a technical issue, the broadcaster’s news organization later said the outage was a result of a DDoS attack, according to “sources within the BBC.” Russian Banks Hit With Waves Of DDoS Attacks In November, at least five Russian banks, including Sberbank and Alfabank banks, were the victims of prolonged DDoS attacks that lasted over two days. According to Security Affairs, the attack came from a wide-scale botnet involving up to 24,000 computers and IoT devices that were located in 30 countries. The banks’ online clients services were not disrupted. According to security firm Kaspersky Lab, the incident was the first time that massive DDoS attacks hit Russian banks in 2016. Rio Olympics Organizations Hit By DDoS Attack Staged By LizardStresser Arbor Networks’ security engineering and response team revealed in a statement that several organizations affiliated with the Olympics came under “large-scale volumetric” DDoS attacks beginning in September 2015. “A large proportion of the attack volume consisted of UDP reflection and amplification attack vectors such as DNS, chargen, ntp, and SSDP, along with direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services,” said Arbor Networks in a statement. According to Arbor Networks, a DDoS-for-hire service, called LizardStresser, staged most of the pre-Olympic attacks. Despite the attacks, Arbor Networks performed several mitigation measures to help Olympics administrators keep their systems running. Brian Krebs’ Website Experienced DDoS Attack In September 2016, security investigative reporter Brian Krebs’ information blog experienced a DDoS attack. The attack reportedly placed peak traffic at around 620 Gbps. Krebs determined a Mirai botnet was responsible for the attack: “The source code that powers the IoT botnet responsible for launching the historically large DDoS attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices,” he stated on his blog. “My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems,” said Krebs in the blog post. Source: http://www.crn.com/slide-shows/internet-of-things/300084663/8-ddos-attacks-that-made-enterprises-rethink-iot-security.htm
Original post:
8 DDoS Attacks That Made Enterprises Rethink IoT Security
Adam Mudd jailed for two years for creating attack-for-hire business responsible for more than 1.7m breaches worldwide. A man has been jailed for two years for setting up a computer hacking business that caused chaos worldwide. Adam Mudd was 16 when he created the Titanium Stresser program, which carried out more than 1.7m attacks on websites including Minecraft, Xbox Live and Microsoft and TeamSpeak, a chat tool for gamers. He earned the equivalent of more than £386,000 in US dollars and bitcoins from selling the program to cyber criminals. Mudd pleaded guilty and was sentenced at the Old Bailey. The judge, Michael Topolski QC, noted that Mudd came from a “perfectly respectable and caring family”. He said the effect of Mudd’s crimes had wreaked havoc “from Greenland to New Zealand, from Russia to Chile”. Topolski said the sentence must have a “real element of deterrent” and refused to suspend the jail term. “I’m entirely satisfied that you knew full well and understood completely this was not a game for fun,” he told Mudd. “It was a serious money-making business and your software was doing exactly what you created it to do.” Mudd showed no emotion as he was sent to a young offender institution. During the two-day hearing, Jonathan Polnay, prosecuting, said the effect of Mudd’s hacking program was “truly global”, adding: “Where there are computers, there are attacks – in almost every major city in the world – with hotspots in France, Paris, around the UK.” The court heard that Mudd, who lived with his parents, had previously undiagnosed Asperger syndrome and was more interested in status in the online gaming community than the money. The court heard that the defendant, now 20, carried out 594 of the distributed denial of service (DDoS) attacks against 181 IP addresses between December 2013 and March 2015. He has admitted to security breaches against his college while he was studying computer science. The attacks on West Herts College crashed the network, cost about £2,000 to investigate and caused “incalculable” damage to productivity, the court heard. On one occasion in 2014, the college hacking affected 70 other schools and colleges, including Cambridge, Essex and East Anglia universities as well as local councils. Mudd’s explanation for one of the attacks was that he had reported being mugged to the college but claimed no action was taken. Polnay said there were more than 112,000 registered users of Mudd’s program who hacked about 666,000 IP addresses. Of those, nearly 53,000 were in the UK. Among the targets was the fantasy game RuneScape, which had 25,000 attacks. Its owner company spent £6m trying to defend itself against DDoS attacks, with a revenue loss of £184,000. The court heard that Mudd created Titanium Stresser in September 2013 using a fake name and address in Manchester. He offered a variety of payment plans to his customers, including discounts for bulk purchases of up to $309.99 for 30,000 seconds over five years as well as a refer-a-friend scheme. Polnay said: “This is a young man who lived at home. This is not a lavish lifestyle case. The motivation around this we tend to agree is about status. The money-making is by the by.” When he was arrested in March 2015, Mudd was in his bedroom on his computer, which he refused to unlock before his father intervened. Mudd, from Kings Langley in Hertfordshire, pleaded guilty to one count of committing unauthorised acts with intent to impair the operation of computers; one count of making, supplying or offering to supply an article for use in an offence contrary to the Computer Misuse Act; and one count of concealing criminal property. Ben Cooper, defending, appealed for his client to be given a suspended sentence. He said Mudd had been “sucked into” the cyber world of online gaming and was “lost in an alternate reality” after withdrawing from school because of bullying. Mudd, who was expelled from college and now works as a kitchen porter, had been offline for two years, which was a form of punishment for any computer-obsessed teenager, Cooper said. The “bright and high-functioning” defendant understood what he did was wrong but at the time he lacked empathy due to his medical condition, the court heard. Cooper said: “This was an unhappy period for Mr Mudd, during which he suffered greatly. This is someone seeking friendship and status within the gaming community.” But the judge said: “I have a duty to the public who are worried about this, threatened by this, damaged by this all the time … It’s terrifying.” Source: https://www.theguardian.com/technology/2017/apr/25/teenage-hacker-adam-mudd-jailed-masterminding-attacks-sony-microsoft
Link:
Teenage hacker jailed for masterminding attacks on Sony and Microsoft
The Necurs botnet has, once again, begun pushing Locky ransomware on unsuspecting victims. The botnet, which flip-flops from sending penny stock pump-and-dump emails to booby-trapped files that lead to malware (usually Locky or Dridex), has been spotted slinging thousand upon thousand of emails in the last three or four days. “Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky,” Cisco Talos researchers noted on … More ?
Continued here:
Locky ransomware makes a comeback, courtesy of Necurs botnet
Flaws in the routers’ firmware could let hackers access configuration settings and execute remote commands. Linksys said it’s working on a patch. Linksys this week identified several vulnerabilities in its router firmware that allow hackers to bypass authentication and perform denial of service (DDoS) attacks. The company said it is working on a fix for the vulnerabilities, which were discovered by security researchers at IOActive in January and affect more than two dozen models of Linksys wireless routers in the WRT and EAxxx series. IOActive found 10 separate issues in the Linksys firmware, including high-risk vulnerabilities that could let hackers exploit routers using default credentials to log in, view router settings, and execute remote commands. “Two of the security issues we identified allow unauthenticated attackers to create a Denial-of-Service (DoS) condition on the router,” IOActive researcher Tao Sauvage wrote in a blog post. “By sending a few requests or abusing a specific API, the router becomes unresponsive and even reboots. The Admin is then unable to access the web admin interface and users are unable to connect until the attacker stops the DoS attack.” The vulnerabilities, which are similar to those found in many other Internet of Things (IoT) devices, are particularly worrisome because they could be used in future attacks of the sort that took large swaths of the internet offline for several hours last fall. Sauvage said that “11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks.” Linksys published a full list of the router models that are affected, and suggested that owners change the default password for their administrator account. The company said it is working to provide a firmware update for all of the affected models, but didn’t offer details on when it would be ready. Source: http://www.pcmag.com/news/353228/linksys-routers-vulnerable-to-ddos-attacks
View post:
Linksys Routers Vulnerable to DDoS Attack
Akamai Technologies has identified a new attack method generating extremely large distributed denial of service (DDoS) attacks against educational institutions and other types of organizations but without the millions of infected hosts typically seen in these scenarios. In a threat advisory recently published by the content delivery network company’s security intelligence response team, researchers described a reflection and amplification method that can produce “significant attack bandwidth” through “significantly fewer hosts.” What’s required are open ports allowing LDAP traffic. The company’s security experts have detected and mitigated a total of 50 Connection-less Lightweight Directory Access Protocol (CLDAP) reflection attacks. CLDAP was intended as an “efficient alternative to LDAP queries done over Transmission Control Protocol (TCP). Most of the attacks seen in the wild used CLDAP reflection exclusively. Twice, education has been the target. However, the primary victims have been in the software and technology industry, where 21 attacks have taken place, and the gaming segment, which has had 15 attacks. The largest of the attacks hit its target with a peak bandwidth of 24 gigabits per second and a top count of packets per second of 2 million. The source port was 386, the port used by Lightweight Directory Access Protocol (LDAP). According to the report, signatures of the attack suggest that it’s “capable of impressive amplification.” For example, Akamai security people obtained sample malicious LDAP reflection queries that had a payload of only 52 bytes. Yet the attack data payload was 3,662 bytes, meaning that the amplification factor was 73. More typically, the average amplification rate was 57, according to the researchers. The attacks are launched using “attack scripts,” usually written in C and with only slight variations from one vector to another. When the script is run, the target IP becomes the source of all the 52-byte query payloads. These are then sent rapidly to every server in the supplied reflector list. From there, the CLDAP servers do as they’re designed and reply to the query. As a result, the report described, “the target of this attack must deal with a flood of unsolicited CLDAP responses.” The attack is “fueled” by the number of servers on the internet with port 389 open and listening. Once a server has been identified as a viable source, it’s added to the list of reflectors. The best mitigation, suggested the report, is to filter the port in question. “Ingress filtering of the CLDAP port from the internet will prevent discovery and subsequent abuse of this service,” the report noted. Another option is to apply rules, which won’t stop the outbreak, but will alert system administers when an attempt is made to use the systems as part of a reflection attack. Source: https://campustechnology.com/articles/2017/04/20/new-ddos-attacks-use-far-fewer-infected-hosts.aspx?admgarea=news
See more here:
New DDoS Attacks Use Far Fewer Infected Hosts
When he woke up the morning of October 21, 2016, Nick Rockwell did the same thing he had done first thing every morning since The New York Times hired him as CTO: he opened The Times’ app on his phone. Nothing loaded. The app was down along with BBC, CNN, Fox News, The Guardian, and a long list of other web services, taken out by the largest DDoS attack in history of the internet. An army of infected IP cameras, DVRs, modems, and other connected devices – the Mirai botnet – had flooded servers of the DNS registrar Dyn in 17 data centers, halting a huge number of internet services that depended on it for letting their users’ computers know how to find them online. The outage had started only about five minutes before Rockwell saw the blank screen on his phone. His team kicked off a standard process that was in place for such outages, failing over to the Times’ internal DNS hosted in two of its four data centers in the US. The mobile app and the main site were back online about 45 minutes after they had gone down. While going through the fairly routine recovery process, however, something was really worrying Rockwell. The thing was, he didn’t know whether the attack was directed at many targets or at the Times specifically. If it was the latter, the effect could be catastrophic; its internal DNS wouldn’t hold against a major DDoS for more than five seconds. “It would’ve been incredibly easy to DDoS our infrastructure,” he said in a phone interview with Data Center Knowledge. His team had been a few months deep into fixing the vulnerability, but they weren’t finished. “We were OK [in the end], but we were vulnerable during that time.” The process to fix it started as they were preparing for the 2016 presidential election. Election night is the biggest event for every major news outlet, and Rockwell was determined to avoid the 2012 election night fiasco, when the site went down, unable to handle the spike in traffic. One of the steps the team decided to do in preparation for November 2016 was to fully integrate a CDN (Content Delivery Network). CDN services, such as Akamai, CloudFlare, or CDN services by cloud providers Amazon, Microsoft, and Google, store their clients’ most popular content in data centers close to where many of their end users are located – so-called edge data centers — from where “last-mile” internet service providers deliver that content to its final destinations. A CDN essentially becomes a highly distributed extension of your network, adding to it compute, storage, and bandwidth capacity in many metros around the world. That a CDN had not been integrated into the organization’s infrastructure came as a big surprise to Rockwell, who joined in 2015, after 10 months as CTO at another big publisher, Condé Nast. While at Condé Nast, he switched the publisher from a major CDN provider to a lesser-known CDN by a company called Fastly. He has since become an unapologetically big fan of the San Francisco-based startup, which now also delivers content to The New York Times users around the world. Being highly distributed by design puts CDNs in good position to help their customers handle big traffic spikes, be it legitimate traffic generated by a big news event or a malicious DDoS attack. (Rockwell said he did wonder, as the Dyn attack was unfolding, whether it was a rehearsal for election night.) Fastly ensured that on the night Donald Trump beat Hillary Clinton, the Times rolled without incident through a traffic spike of unprecedented size for the publisher: an 8,371 percent increase in the number of people visiting the site simultaneously, according to the CTO. The CDN has also mostly absorbed the much higher levels of day-to-day traffic The Times has seen since the election as it covers the Trump administration. The six-year-old startup, which this year crossed the $100 million annualized revenue run-rate threshold, designed its platform to give users a detailed picture of the way their traffic flows through its CDN and lots of control. Artur Bergman, Fastly’s founder and CEO, said the platform enables a user to treat the edge of their network the same way they treat their own data centers or cloud infrastructure. In your own data center you have full control of your tools for improving your network’s security and performance (things like firewalls and load balancers), Bergman explained in an interview with Data Center Knowledge. While you maintain that level of control in the public cloud, you don’t necessarily have it at the edge, he said. Traditionally, CDNs have offered customers little visibility into their infrastructure, so even differentiating between a legitimate traffic spike and a DDoS attack has been hard to do quickly. Fastly gives users log access in real-time so they can see exactly what is happening to their edge nodes and make critical decisions quickly. The startup today unveiled an edge cloud platform, designed to enable developers to deploy code in edge data centers instantly, without having to worry about scaling their edge infrastructure as their applications grow. It also announced a collaboration with Google Cloud Platform, pairing its platform with the giant’s enterprise cloud infrastructure services around the world. GCP is one of two cloud providers The New York Times is using. The other one is Amazon Web Services. Today, the publisher’s infrastructure consists of three leased data centers in Newark, Boston, and Seattle, and one facility it owns and operates on its own, located in the New York Times building in Times Square, Rockwell said. The company uses a virtual private cloud by AWS and some of its public cloud services in addition to running some applications in the Google Cloud. This setup is not staying for long, however. Rockwell’s team is working to shut down the three leased data centers, moving most of its workloads onto GCP and AWS, with Fastly managing content delivery at the edge. Google’s cloud is also going to play a much bigger role than it does today. The plan is to run apps that depend on Oracle databases in AWS, while everything else, save for a few exceptions (primarily packaged enterprise IT apps), will run in app containers on GCP, orchestrated by Kubernetes. As he works to sort out what he in a conference presentation referred to as the “jumbled mess” that is The Times’ current infrastructure, Rockwell no longer worries about DDoS attacks. Luckily for his team, there was no major DDoS attack on The Times between the day he came on board and the day Fastly started delivering the publisher’s content to its readers. Whether there was one after Fastly was implemented is irrelevant to him. “It’s no longer something I have to think about.” Source: http://www.thewhir.com/web-hosting-news/how-the-new-york-times-handled-unprecedented-election-night-traffic-spike
View article:
How The New York Times Handled Unprecedented Election-Night Traffic Spike
Distributed denial-of-service attacks have quickly become one of the favorite tools among cyber criminals around the world. It appears some groups are taking things to the next level by leveraging the CLDAP protocol. As a result, they can amplify their DDoS attacks by as much as 700%. This is a very troublesome development, to say the least. CLDAP PROTOCOL IS NOW A CRIMINAL TOOL For those people who are unaware of what the CLDAP protocol is, allow us to briefly explain. It is a communication protocol used to connect, search, and modify internet directories. As one would expect, this particular protocol provides high performance at all times, as it can pump through data at an accelerated pace. So far, this protocol has only been used among network administrators to query data with relative ease. Unfortunately, all good technologies are often used for nefarious purposes, and the CLDAP protocol is no different in this regard. A new report has surfaced, indicating criminals use CLDAP to amplify their direct denial-of-service attacks. It is believed they can make such attacks up to 70 times as powerful as before, which does not bode well for any part of the global internet infrastructure. Researchers claim cybercriminals have been abusing the CLDAP protocol since late last year. That is quite a worrisome thought, although it is unclear which companies or services were targeted exactly. DDoS attacks leveraging the CLDAP protocol is not a positive development, as it only allows cybercriminals to shut down online services and platforms more easily. The last thing this world needs is more tools for online criminals to do bigger damage with less effort. The amplification part of the CLDAP protocol is of particular concern to security researchers right now. By using the CLDAP protocol, DDoS attackers can artificially increase the number of times a data packet is enlarged. At its peak, the CLDAP protocol can increase data packet sizes by as much as 700%. To be more specific, One bit of data sent through a DDoS attack over the CLDAP protocol results in the target receiving 700 bytes of data. So far, researchers have discovered over four dozen DDoS attacks leveraging the CLDAP protocol. That is quite a significant number, although it is only a hint of what the future will hold. Given the vulnerability of the Internet of Things devices, leveraging a hundred devices can now become as powerful as using 7,000 devices in a coordinated DDoS attack. It wouldn’t take much effort to shut down websites, online banking portals or even DNS service provides such as DynDNS. To put this latter part into perspective, it takes 1 Gbps of sustained HTTP requests to shut down the average website. The biggest DDoS attack leveraging CLDAP put through 24 Gbps, and that was merely a test to see how well the protocol would hold up under sustained throughput. It is evident things will get a lot more troublesome from here on out. Anti-DDoS providers will need to find ways to filter CLDAP traffic rather than try to block it, as they will fall woefully short otherwise. Source: https://themerkle.com/criminals-leverage-cldap-protocol-to-conduct-amplified-ddos-attacks/
Continue Reading:
Criminals Leverage CLDAP Protocol to Conduct Amplified DDoS Attacks
One in five British firms was hit by a cyber attack last year, research from the British Chambers of Commerce suggests Cyber attacks are a growing threat to global business operations. This was confirmed by research from the British Chambers of Commerce (BCC), which surveyed 1,200 companies, revealing that one in five British businesses experienced a cyber attack last year. Larger businesses – defined as those with over 100 staff – were more likely to be attacked than smaller counterparts, according to the survey. The report found that 42% of larger organisations had suffered a cyber attack, compared with 18% of smaller ones. Clearly, more needs to be done by businesses to protect themselves. Indeed, the BCC’s report alos found that only a quarter of the firms surveyed had put in security protocols to protect themselves from hackers and cyber threats. The well documented data breaches of web giant Yahoo, telecoms firm TalkTalk and the dating website Ashley Madison have all hit the headlines in recent years. But this survey has shown just how widespread the problem is. It is endemic. “Cyber attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses, but costs from disruption to their business and productivity,” said BCC director-general Adam Marshall. “Firms need to be proactive about protecting themselves from cyber attacks.” Reacting to the news, Anton Grashion, managing director-security practice at Cylance, said “This is probably an underestimate if anything. Two reasons for this, firstly, this assumes they even know they have been hit, secondly people are more likely to under-report.” “Evidence of our testing when we run a POC with prospective customers is that we almost invariably discover active malware on their systems so it’s the unconscious acceptance of risk that plagues both large and small businesses.” Stephanie Weagle, VP at Corero Network Security, has identified DDoS attacks as the greatest cyber threat facing business. She said “Attackers will always find new exploits, and new attack methods of disrupting financial opportunity, extortion, accessing personally identifiable data, and disrupting an organisations online availability. Cyber attack activity is prevalent today, more than ever – especially when it comes to DDoS attacks.” DDoS attacks are on the rise and “continue to increase in frequency, scale and sophistication over the last year. 31% of IT security professional and network operators polled in a 2017 survey conducted by Corero experienced more DDoS attacks than usual in recent months, with 40% now experiencing attacks on a monthly, weekly or even daily basis. Source: http://www.information-age.com/major-flaws-devops-teams-security-123465765/
See more here:
‘One in five’ British firms hit by cyber attack in 2016
Administrators of sites using the popular blogging platform WordPress face a new challenge: hackers are launching coordinated brute-force attacks on the administration panels of WordPress sites via unsecured home routers, according to a report on Bleeping Computer. Once they’ve gained access, the attackers can guess the password for the page and commandeer the account. The home routers are corralled into a network which disseminates the brute-force attack to thousands of IP addresses negotiating around firewalls and blacklists, the report stated. The flaw was detected by WordFence, a firm that offers a security plugin for the WordPress platform. The campaign is exploiting security bugs in the TR-069 router management protocol to highjack devices. Attackers gain entry by sending malicious requests to a router’s 7547 port. The miscreants behind the campaign are playing it low-key to avoid detection, attempting only a few guesses at passwords for each router. While the exact size of the botnet is unknown, WordFence reported that nearly seven percent of all the brute-force attacks on WordPress sites last month arrived from home routers with port 7547 exposed to the internet. The flaw is exacerbated by the fact that most home users lack the technical know-how to limit access to their router’s 7547 port. In some cases, the devices do not allow the shuttering of the port. A more practical solution is offered by WordFence: ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547. “The routers we have identified that are attacking WordPress sites are suffering from a vulnerability that has been around since 2014 when CheckPoint disclosed it,” Mark Maunder, CEO of WordFence CEO, told SC Media on Wednesday. The specific vulnerability, he pointed out, is the “misfortune cookie” vulnerability. “ISPs have known about this vulnerability for some time and they have not updated the routers that have been hacked, leaving their customers vulnerable. So, this is not a case of an attacker continuously evolving a technique to infect routers. This is a case of opportunistic infection of a large number of devices that have a severe vulnerability that has been known about for some time, but has never been patched.” There are two attacks, Maunder told SC. The first is the router that is infected through the misfortune cookie exploit. The other is the attacks his firm is seeing on WordPress sites that are originating from infected ISP routers on home networks. “The routers appear to be running a vulnerable version of Allegro RomPager version 4.07,” Maunders said. “In CheckPoint’s original 2014 disclosure of this vulnerability they specifically note that 4.07 is the worst affected version of RomPager. So there is nothing new or innovative about this exploit, it is simply going after ISP routers that have a large and easy to hit target painted on them.” The real story here, said Maunder, is that a number of large ISPs, several of them state owned, have gone a few years without patching their customer routers and their customers and the online community are now paying the price. “Customer home networks are now exposed to attackers and the online community is seeing their websites attacked. I expect we will see several large DDoS attacks originating from these routers this year.” Source: https://www.scmagazine.com/hackers-attacking-wordpress-sites-via-home-routers/article/649992/
Follow this link:
Hackers attacking WordPress sites via home routers