14 DAY TRIAL // Someone finally pulled the plug on a botnet powered by compromised home routers. It is unclear at this point if this was the decision of the attackers behind the botnet or if law enforcement had a hand in it.
According to Wordfence, the volume of attacks had started to drop over the past weekend. By Monday the intensity had dropped from 30,000-40,000 attack attempts every hour to less than 5,000.
The security company did warn last month that tens of thousands of vulnerable routers from across the world had been infected and prepared for attacks, mostly aimed at WordPress sites. At the time, researchers believed the hackers hijacked the devices by exploiting some known vulnerabilities that had not been patched.
Reasons behing the shutdown still unclear
The botnet was used for serious attacks and had not let down until early this week. Wordfence researchers were not able to figure out the reasons behind the shutdown and, at this point, it remains to be seen whether this is a permanent change or just a brief pause. We should know more in the next few weeks.
The two most plausible scenarios are that the attackers decided to shut down the botnet for various reasons, or they were shut down by law enforcement after the command and control servers were taken offline.
In recent years, authorities have been getting better at tracking cyber criminals. One of the most prominent cases in recent times is the dismantling of the Kelihos botnet after the arrest of the ringleader.
"It is worth noting that earlier this month, INTERPOL worked with investigators in Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam to identify almost 9,000 command and control servers and just under 270 hacked websites. They produced reports for authorities in each country which allowed local enforcement to take action against the compromised systems," Wordfence notes.
The sustained attacks against WordPress sites resulted in their IP addresses being blacklisted by Wordfence and other services such as SpamHaus. This led to customers of the affected ISPs to suffer because certain websites and services would block them. It is expected that full access will once more be restored.