Infected WordPress Sites Are Attacking Other WordPress Sites
Researchers identified a widespread campaign of brute force attacks against WordPress websites.
WordPress sites are being targeted in a series of attacks tied to a 20,000 botnet-strong army of infected WordPress websites. Behind the WordPress-on-WordPress assault is a widespread brute-force password attack leveraged through a Russian proxy provider and targeting a developer application program interface (API).
The attacks, first identified by the Defiant Threat Intelligence Team and reported by Wordfenceon Wednesday, utilized four command-and-control (C2) servers that in turn send requests to over 14,000 proxy servers tied to a Russian internet firm called Best Proxies, according to the Wordfence.
“[The attackers] use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites,” wrote Mikey Veenstra, a web security researcher at Wordfence, in a post.
According to Veenstra, the infected WordPress sites, and the C2 sites controlling them, are still online and could be exploited by additional adversaries. He said Wordfence and Defiant are working with law enforcement to secure the vulnerable resources.
Specifically targeted in the attacks is WordPress’s XML-RPC interface (/xmlrpc.php). XML-RPC is an API that Android and iOS mobile app developers use to link apps to WordPress websites.
“These attacks were launched by malicious scripts planted on other WordPress sites, which received instructions from a botnet with a sophisticated attack chain,” researcher said.
That attack chain starts with the rogue script which has automated attempts to gain access to the XML-RPC interface using common usernames and passwords.
“The wordlists associated with this campaign contain small sets of very common passwords. However, the script includes functionality to dynamically generate appropriate passwords based on common [password] patterns,” researchers said. “If the brute force script was attempting to log on to example.com as the user alice, it will generate passwords like example, alice1, alice2018, and so on. While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets.”
Veenstra said WordPress moved to restrict scripts (and people) from systematically guessing XML-RPC interface passwords in 2015. Prompting the move was a similar brute-force password attack launched against the API. With the launch of WordPress 4.4 (released in 2015) attackers were stymied. But the patch was released “quietly” and isn’t disclosed in the version number documentation, he said.
“Even if a site is on the latest security release of a WordPress branch from 4.3 and older, it can be vulnerable to this attack method,” the researcher said.
For that reason, attackers are using script to identify vulnerable versions of WordPress ripe for target.
Wordfence researchers said they were able to capture requests sent from three of the four C2 servers that further revealed the attack chain.
“[Normally it would] be very difficult to track the central C2 servers behind it all. We were fortunate, though, that the attacker made some mistakes in their implementation of the brute force scripts,” Wordfence said. “Since the scripts each make use of wordlists stored on the same infected WordPress site, they include functionality to regenerate these wordlists if necessary.”
Researchers said that in some cases the attacker’s scripts did not contain wordlists, to be used in brute-force password attacks. Under that scenario, the wordlist would be downloaded from the C2 server. The download helped researchers identify the C2’s internet protocols, and subsequently the login screen became easily discoverable.
Using other tools, such as app security tool Burp Suite, researchers were able to bypass anti-mitigation techniques used by attackers, such as login redirects, and browse the interface of the C2 application.
“Contained within the interface was a number of features, including the ability to access a list of ‘slaves’, which referred to the infected WordPress sites containing brute force scripts,” he said. From there researchers were able to connect the dots between the relationship between the servers, proxy servers and “slave” sites.
“Each server contained a file in its webroot named proxy.txt. This file contains a list of nearly ten thousand SOCKS proxy addresses, with IP addresses and ports. These IP addresses coincided with the proxy servers we had previously identified, suggesting the C2 uses this file to randomly select a proxy when issuing each attack. We identified 14,807 proxy servers,” researchers wrote.
Wordfence is urging users to update to WordPress 4.4 and implement restrictions and lockouts for failed logins.

Latest Jobs
-
- SOC Manager. SC Clearance. Immediate opportunity.
- Unknown
- N/A
-
Permanent SOC Manager. SC cleared / clearable, London / Birmingham. SOC Manager needed to replace a SOC contractor I placed into a client who is due to complete their assignment at the end of March. The ability to achieve SC clearance is essential. Looking for someone that is a blend of strategic stakeholder engagement with strong technical skills. The role will sit in a relatively new SOC environment. The position is to setup, implementation and management of resources to help with the initial and on-going stages of a new SOC. Experience engaging with and managing client stakeholder relationships as well as 3rd party relationships is critical. The role will involve; setting up, implementing and fine tuning the various initial stages of a SOC environment. Experience establishing and building out technical process / operational capability, managing of technical teams (analysts, engineers and architects, creation of policy / playbooks, fine turning is key. SPLUNK is the tooling of choice… Interviewing immediately. Set up a call with me today on https://calendly.com/chris-holt/arranged-call-with-chris-holt-soc-manager-role Direct contact details Chris.Holt@dclsearch.com or 07884666351
-
- Security engineer. Financial Services. UK. Permanent
- Unknown
- N/A
-
CH7863 Security engineer. End User . Financial Services Security Engineer needed to monitor and manage a security suite of tools within an End User environment. The Security Engiener will be responsible monitoring, configuring, fine tuning, incident management and generally improving the security tool capability. Specific experience with CyberArk, Tripwire Log Center and Tripwire Enterprise is highly desirable). Current experience with Vulnerability management and penetration testing is highly desirable. Specifically the ability to effectively manage 3rd party pen tests. You will be working within a specialist security team reporting to the CISO. Experience working within an end user environment within financial services is highly desirable. Flexible location. This is an exclusive role to DCL Search & Selection. To book a call please use my Calendy link https://calendly.com/chris-holt/arranged-call-with-chris-holt-soc-role-
-
- DevSecOps - Security design / review consultant. SC Clearance. London
- London
- N/A
-
CH7858 London £70,000 DevSecOps - Security design / review consultant. DevSecOps - Security design / review consultant will ensure that newly created, public facing apps are secure by design and by default by aligning them to current / best practice security policies and standards into the design phases. The individual must have a technical software / application development background with specalist experinece in secure architecture design. (Frameworks, processes, best practice etc) Practical experience translating and ensuring that the OWASP top 10, ISO27001, HMG frameworks requirements are reviewed and embedded into project designs which are implemented is essential. Experience working projects through a full development lifecycle is key. You will work along side the design and project teams to idenitfy and mitigate risks throughout the design phases. This is a permanent role. SC clearance is essential as is the ability to get to the London office. (When appropiate #covid) Security DevSecOps consultant. To arrange a discreet call book via https://calendly.com/chris-holt/devsecopp--security-design-review-consultant
-
- CONTRACTOR Cyber Vulnerability Analyst, NESSUS, Rapid 7, SC clearance required.
- London
- N/A
-
Cyber Vulnerability analyst NESSUS, Rapid 7, needed for IMMEDIATE 3 month contract MUST have / be able to achieve UK SC clearance role to work within a live environment within a public sector department. The individual must have experience in using various security methods and tools such as Rapid7 and NESSUS scan for / identify vulnerabilities, prioritise them according to risk and raise appropriate tickets for remediation / follow up. In depth experience utilising Nessus highly beneficial. Current cyber public sector experience highly desirable.