Exec summary: There is currently a botnet that has been identified that is targeting WordPress websites with a password guessing attack. If you have Wordfence installed with our default settings, you are already protected against this attack. The botnet is powered by modem/router devices. ISP’s are gradually patching the devices but many are left vulnerable or infected as some ISP’s respond slowly to this issue.
In February of this year a security researcher at Voidsec noticed brute force attacks on his personal WordPress site and he noticed a pattern in the IP addresses attacking his site. They were mostly Italian internet service providers. They were:
- Albacom, now BT-Italia
- BSI Assurance UK
What he discovered is that the IP’s attacking his site were all devices. They were all Aethra modem/routers to be exact. By doing some further sleuthing he discovered that all the Aethra devices involved in the attack were using default login credentials (blank/blank).
The modems had obviously been hacked and the attacker had gained access through the default login. They had then installed malware on the modems that launched a brute force password guessing attack on WordPress sites.