Massive Ransomware attack unveiled and underway

According to Wordfence, one of the front line protectors of all things WordPress, there is a massive ransomware attack ongoing affecting Windows computers and their related networks.

Called WanaCryptor, it functions similar to other ransomware in locking down files on an infected system unless the victim makes a payment. Ransomware infects machines though inadvertent clicks on malware links in bogus or phishing emails that pose as legitimate communications.

According to Microsoft, a fix for this vulnerability was released on March 14th for all affected versions of Windows.

US CERT has also published a blog post on this and sent out warning emails to let systems admins and user know of the threat.

Gizmodo is updating this page with information on the current threat and information on how its spreading.

More details here from Wordfence and US CERT website…

https://www.us-cert.gov/ncas/current-activity/2017/05/12/Multiple-Ransomware-Infections-Reported

Massive Global Ransomware Attack Underway, Patch Available

Is your home router attacking the internet?

Updated: 17.04.17

Home Internet routers, with different capabilities, provide a range of services such as access management, shared disk services or Wifi for your laptop or iPad. Many users install these devices and don’t realize that they still retain their default passwords. Knowing this, hackers have using this fact to load hacked software into these devices and  launch various attacks on vunerable internet hosts.

US-CERT has a long list of vulnerabilities and attack vectors for this type of hack at https://www.us-cert.gov/ncas/alerts/TA13-175A. .

The bad guys have been exploring other methods to use home routers to do their dirty work.

Workfence, creator of one of my favourite wordpress plugins used to protect WP websites,  looked at a recent set of network attacks from addresses owned by Telcom Algeria and surveyed a number of  those addresses to see what was there and received responses from 3,855 IP addresses.

Out of those IPs, 1501 are Zyxel routers that are listening on port 7547 and are running “Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)”.

Allegro RomPager 4.07 is an embedded web server that has a severe vulnerability. This vulnerability, called the Misfortune Cookie by Checkpoint, who discovered it in 2014. The identifier is CVE-2014-9222.

It appears that attackers have exploited the home routers on Algeria’s state owned telecommunications network and are using them to attack WordPress websites globally.

There are a number of other routers in the web-o-sphere that also possess this vulnerability, used by various telecoms around the world. According to Shodan, a popular network analysis tool, over 41 million home routers world-wide have port 7547 open to the public internet.

Wordfence has published an excellent web post on the topic, as well as a link to a tool to check if your router has the vulnerability on port 7547.

Here’s the link to the post: Wordfence router check