mis5

A vulnerability known as “Misfortune Cookie” is being used for hacking unsecured home routers. It hijacks a service that ISP’s use to remotely manage home routers by listening on port number 7547. There’s a group of hackers who are hijacking unsecured home routers and using these devices to launch equalized and coordinated brute-force attacks on the administration panel of WordPress sites. The prime intent of this hacker group for these attacks is to guess the password for the admin account and take over the attacked site. The Routers play a vital role in this scenario as it allows hackers to spread their brute-forcing attack over thousands of different IP addresses, avoiding firewalls and their blacklists. Experts say the attackers are launching only a few password-guessing attempts from each router on purpose, to keep a low profile for their attacks.

The WordPress Security firm WordFence uncovered these attacks. According to WordFence the group behind this campaign is leveraging security flaws in the TR-069 router management protocol to take over devices. These flaw can be exploited by sending malicious requests to a router’s 7547 port. Wordfence firewall and malware scanner products are in exercise on more than 2 million WordPress sites and the company estimates that 6.7% of all attacks on these sites are coming from hacked home routers. The company has tracked down many of the biggest offenders to 28 ISPs around the world, 14 of which feature a massive amount of routers with their 7547 management port left open to external connections.

Over the past month alone we have witnessed over 57,000 individual home routers being used to attack WordPress sites, The CEO of Wordfence Mark Maunder disclosed that, “those home networks are now being explored by hackers who have full access to them via the hacked home router. They can access workstations, mobile devices, wifi cameras, wifi climate control and any other devices that use the home WiFi network.”

During the end of last year in a similar incident, a hacker tried to hijack over one million routers from the networks of ISPs in Germany and the UK. Many of those routers were ZyXEL or rebranded ZyXEL routers. The hacker meant to add the routers to a Mirai botnet he was renting for DDoS attacks. UK police eventually apprehended a suspect in February. “Routers are a weak spot in our home networks”, this is not the first time crooks found ingenious ways to use home routers. Last year, the operators of a malvertising campaign used JavaScript code hidden in malicious ads to hijack 166 home router models. After taking over these devices, crooks used them to redirect users to malicious sites or to replace ads on legitimate sites.

For the masses and clans at WordPress to make sure their router is not vulnerable to being called up for these attacks Wordfence has created a tool that makes it easy to check. It detects whether your home router has port 7547 open or if it’s running a vulnerable version of RomPager. If you find that your router is vulnerable or port 7547 is open, Wordfence has published instructions for how to secure your device.