The botnet of thousands of hacked Aethra routers was used to attack Wordpress sites

The Italian company VoidSec, working in the field of information security, has published material on the recently discovered botnet from Aethra routers. As it turned out, these devices are subject to hacking, and attackers use botnets from such devices to conduct brute force attacks on Wordpress sites.

One of these attacks was discovered by a company specialist when he analyzed the logs of Wordpress sites that were attacked. As it turned out, the attack came from a fairly close range of IP addresses. After a detailed analysis, it turned out that the attack was carried out from IP related to 6 Internet service providers: Fastweb, Albacom (BT-Italia), Clouditalia, Qcom, WIND, and BSI Assurance UK. 4 providers work in Italy. Most of these companies install clients Aethra routers.

Default settings - a gift for a cracker

')
Despite the fact that the Web is full of recommendations to change the default settings of routers after their installation, most of the providers' clients do not. Someone lazy, someone just does not know how to do it, or is afraid. As a result, hackers still have a huge field of activity, there is where to turn around.

As for the Aethra routers, the clients of the providers used the default login without a password. Some devices are also subject to different types of XSS and CSRF attacks, which allows an attacker to gain control of the device, even if different logins are used.

Using Shodan, a service that searches for devices connected to the Web, researchers have discovered more than 12,000 Aethra routers around the world. In Italy, the majority of devices are located - 10866 pieces. 8000 were involved in brute force attacks. To date, 70% of detected devices are working with default settings.

According to rough estimates by experts, every infected router can perform a DDoS attack of 1-10 Gbps.

And now what?

As it turned out, this problem was discovered about a year ago. The company contacted the two largest Italian providers, whose routers were involved in the attacks. Fastweb responded fairly quickly, closing the vulnerability with a firmware update in just a week. Another company, BT-Italia, recognized the problem, but did nothing for 11 months. Its routers are still vulnerable .