Infected WordPress Sites Are Attacking Other WordPress Sites

Researchers identified a widespread campaign of brute force attacks against WordPress websites.
WordPress sites are being targeted in a series of attacks tied to a 20,000 botnet-strong army of infected WordPress websites. Behind the WordPress-on-WordPress assault is a widespread brute-force password attack leveraged through a Russian proxy provider and targeting a developer application program interface (API).
The attacks, first identified by the Defiant Threat Intelligence Team and reported by Wordfenceon Wednesday, utilized four command-and-control (C2) servers that in turn send requests to over 14,000 proxy servers tied to a Russian internet firm called Best Proxies, according to the Wordfence.
“[The attackers] use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites,” wrote Mikey Veenstra, a web security researcher at Wordfence, in a post.
According to Veenstra, the infected WordPress sites, and the C2 sites controlling them, are still online and could be exploited by additional adversaries. He said Wordfence and Defiant are working with law enforcement to secure the vulnerable resources.
Specifically targeted in the attacks is WordPress’s XML-RPC interface (/xmlrpc.php). XML-RPC is an API that Android and iOS mobile app developers use to link apps to WordPress websites.
“These attacks were launched by malicious scripts planted on other WordPress sites, which received instructions from a botnet with a sophisticated attack chain,” researcher said.
That attack chain starts with the rogue script which has automated attempts to gain access to the XML-RPC interface using common usernames and passwords.
“The wordlists associated with this campaign contain small sets of very common passwords. However, the script includes functionality to dynamically generate appropriate passwords based on common [password] patterns,” researchers said. “If the brute force script was attempting to log on to example.com as the user alice, it will generate passwords like example, alice1, alice2018, and so on. While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets.”
Veenstra said WordPress moved to restrict scripts (and people) from systematically guessing XML-RPC interface passwords in 2015. Prompting the move was a similar brute-force password attack launched against the API. With the launch of WordPress 4.4 (released in 2015) attackers were stymied. But the patch was released “quietly” and isn’t disclosed in the version number documentation, he said.
“Even if a site is on the latest security release of a WordPress branch from 4.3 and older, it can be vulnerable to this attack method,” the researcher said.
For that reason, attackers are using script to identify vulnerable versions of WordPress ripe for target.
Wordfence researchers said they were able to capture requests sent from three of the four C2 servers that further revealed the attack chain.
“[Normally it would] be very difficult to track the central C2 servers behind it all. We were fortunate, though, that the attacker made some mistakes in their implementation of the brute force scripts,” Wordfence said. “Since the scripts each make use of wordlists stored on the same infected WordPress site, they include functionality to regenerate these wordlists if necessary.”
Researchers said that in some cases the attacker’s scripts did not contain wordlists, to be used in brute-force password attacks. Under that scenario, the wordlist would be downloaded from the C2 server. The download helped researchers identify the C2’s internet protocols, and subsequently the login screen became easily discoverable.
Using other tools, such as app security tool Burp Suite, researchers were able to bypass anti-mitigation techniques used by attackers, such as login redirects, and browse the interface of the C2 application.
“Contained within the interface was a number of features, including the ability to access a list of ‘slaves’, which referred to the infected WordPress sites containing brute force scripts,” he said. From there researchers were able to connect the dots between the relationship between the servers, proxy servers and “slave” sites.
“Each server contained a file in its webroot named proxy.txt. This file contains a list of nearly ten thousand SOCKS proxy addresses, with IP addresses and ports. These IP addresses coincided with the proxy servers we had previously identified, suggesting the C2 uses this file to randomly select a proxy when issuing each attack. We identified 14,807 proxy servers,” researchers wrote.
Wordfence is urging users to update to WordPress 4.4 and implement restrictions and lockouts for failed logins.

Latest Jobs
-
- Contract (outside) Cyber Incident manager – current SC clearance ESSENTIAL
- United Kingdom
- N/A
-
Contract (outside) Cyber Incident manager – current SC clearance ESSENTIAL Outside IR35 Client facing (Remote UK) with occasional site visit. Must have current Cyber incident response / management experience. Both proactive planning, escalation, coordination and coordinating response. Stakeholder engagement both technical and non technical teams. Prior experience with Technical incident / digital forensics / crisis management. Immediate role.
-
- Tenable Vulnerability Analyst - CONTRACT outside IR35. SC cleared.
- United Kingdom
- N/A
-
6 month rolling contract Outside IR35- immediate start. Threat and Vulnerability Analyst. Tenable.sc experience needed. The ability to deploy agent, configure environments, run active and passive scans, produce reports and prioritise remediation activities based on output Current and ACTIVE SC clearance is required
-
- ForgeRock Consultant
- N/A
- £600 per day
-
ForgeRock Consultant required for 6 Month Contract (with potential to extend) Outside IR35, Must be willing to work Europe hours (GMT+1) This is a remote position, Looking for a lead ForgeRock Technical Consultant with strong experience of ForgeRock to lead the next phase of deployment. Good understanding of ForgeRock Directory Services. · Responsible for the design and implementation of ForgeRock stack · Install and configure ForgeRock stack to meet customer authentication and authorization requirements, · Design and implement OAuth2 protocol using ForgeRock OpenAM, · Design and develop OpenAM custom authentication modules, · Configure ForgeRock stack to protect RESTful API, · Troubleshoot and support ForgeRock IAM stack. · Designed and developed Restful APIs, This is a great project with an expanding ForgeRock Partner, where you will get to work on some high level deployment projects We are looking for someone with the above experience, who is comfortable hitting the ground running and taking on the reins mid project
-
- Network Security Engineer
- Germany
- €550 a day
-
German- based contract opportunity This is an onsite based position, we would need the Network Security engineer to be able to work on the client site 5 days a week Seeking an experienced Network Security Engineer for a leading technology company. Strong expertise in firewall/IPS solutions, proxy solutions, and certificate management is required. Good hands-on experience in networking and web-related technologies necessary. Strong problem-solving skills and the ability to work under pressure are essential. we are looking for a Network Security Engineer with the following experience: · Expertise in Administration, Management & Troubleshooting of Firewall / IPS solutions / Proxy solutions/Certificate Management Solutions · Good Hands-on Experience on security devices (PaloAlto/ /McAfee Proxy/CISCO ISE/Certificate Management) · Good Hands-on Experience in Networking with skills of switching, routing & wireless Technologies · Familiarity with web related technologies (Web applications, Web Services, Service Oriented Architectures) and of network/web related protocol · Configuration of NAT / PAT, firewall policies, profiling, objects, AD-Integration, backup – restore · Knowledge of Subnetting TCP/IP Communication, VLSM Configuration of VLAN VTP · Configuration of Routing Protocols e.g. RIPv1 & v2, OSPF, EIGRP, BGP Knowledge of standard and extended ACL 12 month contract