Infected WordPress Sites Are Attacking Other WordPress Sites
Researchers identified a widespread campaign of brute force attacks against WordPress websites.
WordPress sites are being targeted in a series of attacks tied to a 20,000 botnet-strong army of infected WordPress websites. Behind the WordPress-on-WordPress assault is a widespread brute-force password attack leveraged through a Russian proxy provider and targeting a developer application program interface (API).
The attacks, first identified by the Defiant Threat Intelligence Team and reported by Wordfenceon Wednesday, utilized four command-and-control (C2) servers that in turn send requests to over 14,000 proxy servers tied to a Russian internet firm called Best Proxies, according to the Wordfence.
“[The attackers] use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites,” wrote Mikey Veenstra, a web security researcher at Wordfence, in a post.
According to Veenstra, the infected WordPress sites, and the C2 sites controlling them, are still online and could be exploited by additional adversaries. He said Wordfence and Defiant are working with law enforcement to secure the vulnerable resources.
Specifically targeted in the attacks is WordPress’s XML-RPC interface (/xmlrpc.php). XML-RPC is an API that Android and iOS mobile app developers use to link apps to WordPress websites.
“These attacks were launched by malicious scripts planted on other WordPress sites, which received instructions from a botnet with a sophisticated attack chain,” researcher said.
That attack chain starts with the rogue script which has automated attempts to gain access to the XML-RPC interface using common usernames and passwords.
“The wordlists associated with this campaign contain small sets of very common passwords. However, the script includes functionality to dynamically generate appropriate passwords based on common [password] patterns,” researchers said. “If the brute force script was attempting to log on to example.com as the user alice, it will generate passwords like example, alice1, alice2018, and so on. While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets.”
Veenstra said WordPress moved to restrict scripts (and people) from systematically guessing XML-RPC interface passwords in 2015. Prompting the move was a similar brute-force password attack launched against the API. With the launch of WordPress 4.4 (released in 2015) attackers were stymied. But the patch was released “quietly” and isn’t disclosed in the version number documentation, he said.
“Even if a site is on the latest security release of a WordPress branch from 4.3 and older, it can be vulnerable to this attack method,” the researcher said.
For that reason, attackers are using script to identify vulnerable versions of WordPress ripe for target.
Wordfence researchers said they were able to capture requests sent from three of the four C2 servers that further revealed the attack chain.
“[Normally it would] be very difficult to track the central C2 servers behind it all. We were fortunate, though, that the attacker made some mistakes in their implementation of the brute force scripts,” Wordfence said. “Since the scripts each make use of wordlists stored on the same infected WordPress site, they include functionality to regenerate these wordlists if necessary.”
Researchers said that in some cases the attacker’s scripts did not contain wordlists, to be used in brute-force password attacks. Under that scenario, the wordlist would be downloaded from the C2 server. The download helped researchers identify the C2’s internet protocols, and subsequently the login screen became easily discoverable.
Using other tools, such as app security tool Burp Suite, researchers were able to bypass anti-mitigation techniques used by attackers, such as login redirects, and browse the interface of the C2 application.
“Contained within the interface was a number of features, including the ability to access a list of ‘slaves’, which referred to the infected WordPress sites containing brute force scripts,” he said. From there researchers were able to connect the dots between the relationship between the servers, proxy servers and “slave” sites.
“Each server contained a file in its webroot named proxy.txt. This file contains a list of nearly ten thousand SOCKS proxy addresses, with IP addresses and ports. These IP addresses coincided with the proxy servers we had previously identified, suggesting the C2 uses this file to randomly select a proxy when issuing each attack. We identified 14,807 proxy servers,” researchers wrote.
Wordfence is urging users to update to WordPress 4.4 and implement restrictions and lockouts for failed logins.
- CONTRACT SIEM Cyber Security Operations Engineer. REMOTE OUTSIDE IR35
- United Kingdom
REFCH8165 CONTRACT SIEM Cyber Security Operations Engineer. REMOTE UK SIEM Engineer. 6 month Contract. OUTSIDE IR35 Working towards a "SOC 2" environment. CLOUD (AWS) experience essential. Three key functions; Monitor, Escalate and Triage incidents. Vulnerability Management / threat intel. SIEM configuration / management, review, enhancement More specifically; Work with internal teams to identify assets. Identity applicable threat feeds and work with internal teams to remediate. Patch Patch Patch. (Help mature process / identify gaps) Configuration / fine tuning of SIEM alerts. Create dashboards, Compliance reporting. Log ingestion. Experience across ISO27001 / SOC2 / SIEM / End Point Security is essential Contact me today for more information Chris.Holt@dclsearch.com Or 07884666351
- Cyber Security Operations Engineer. REMOTE UK. SOC2
- United Kingdom
REF8164 Cyber Security Operations Engineer. REMOTE UK Internal opportunity. New position. Exclusive to DCL Search. You will be the hands on technical eyes and ears of the Cyber security capability actively working to ensure and enhance the adherence to ISO27001 and "SOC 2" controls. You role will touch on the following · Security Monitoring- SIEM · Vulnerability Management / Testing · Incident Management · Asset management · Disaster Recovery planning · Change Management AWS Cloud experience is essential as is the ability to ensure patch management is prioritised across the business. Any CLOUD SIEM experience highly desirable. Contact me today for more information Chris.Holt@dclsearch.com Or 07884666351
- Lead Security Architect
- United Kingdom
Engage with key clients in an Architectural / technical presales capacity. Including Stakeholders, end users / partners. Working on new and existing Security projects to confirm that proposed solutions are fit for purpose from both a technical and regulatory capacity. Working closely with multiple vendor . Managed security service background ideal CLOUD Security (AZURE OR AWS), IDAM background ideal.
- Threat Vulnerability Management Analyst
- United Kingdom
To monitor, identify and alert internal teams of cyber threats and vulnerabilities. MIRE Att&ck, CIS, OWASP, Vulnerability management tools MUST be able to commute to central London MUST be able to achieve UK SC Clearance. On going support and development.