A botnet powered by compromised home routers has been apparently shut down. It is unclear if the botnet operators decided to pull the plug on their operation or if the disruption was caused by law enforcement.
Security firm Wordfence warned last month that tens of thousands of vulnerable routers from dozens of ISPs worldwide had been abused for brute-force and other types of attacks aimed at WordPress websites.
Researchers said the attackers may have hijacked the devices by exploiting some known vulnerabilities that users and ISPs had failed to patch, including the flaw dubbed “Misfortune Cookie.”
However, on Tuesday, Wordfence reported that the volume of attacks had started to drop significantly over the weekend, particularly on Sunday night, Pacific time. By Monday evening, the 30,000 or 40,000 attack attempts coming every hour from some ISPs had dropped to less than 5,000, and the frequency of the attacks continued to decrease.
Wordfence has not been able to determine what caused the apparent shut down of the botnet and it’s unclear if the situation is permanent or just temporary. However, the company believes we might know exactly in the next few weeks.
One possible scenario is that the attackers themselves decided to end their operation for some reason. Another possibility is that law enforcement or other entities managed to take down the command and control (C&C) servers used by the botnet.
Law enforcement agencies have been very busy targeting cybercriminal operations in recent weeks. In April, U.S. authorities announced efforts to disrupt and dismantle the Kelihos botnet. Two weeks later, Interpol reported that authorities in the ASEAN region worked with private companies to identify nearly 9,000 C&C servers and hundreds of compromised websites.
The recent attacks originating from routers had caused Wordfence and organizations such as Spamhaus to blacklist the offending IP addresses, which resulted in users being unable to access certain online services.
“By reducing these attacks, this ensures those ISP customers have full internet access again,” said Wordfence’s Mark Maunder.