Infected WordPress Sites Are Attacking Other WordPress Sites
Researchers identified a widespread campaign of brute force attacks against WordPress websites.
WordPress sites are being targeted in a series of attacks tied to a 20,000 botnet-strong army of infected WordPress websites. Behind the WordPress-on-WordPress assault is a widespread brute-force password attack leveraged through a Russian proxy provider and targeting a developer application program interface (API).
The attacks, first identified by the Defiant Threat Intelligence Team and reported by Wordfenceon Wednesday, utilized four command-and-control (C2) servers that in turn send requests to over 14,000 proxy servers tied to a Russian internet firm called Best Proxies, according to the Wordfence.
“[The attackers] use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites,” wrote Mikey Veenstra, a web security researcher at Wordfence, in a post.
According to Veenstra, the infected WordPress sites, and the C2 sites controlling them, are still online and could be exploited by additional adversaries. He said Wordfence and Defiant are working with law enforcement to secure the vulnerable resources.
Specifically targeted in the attacks is WordPress’s XML-RPC interface (/xmlrpc.php). XML-RPC is an API that Android and iOS mobile app developers use to link apps to WordPress websites.
“These attacks were launched by malicious scripts planted on other WordPress sites, which received instructions from a botnet with a sophisticated attack chain,” researcher said.
That attack chain starts with the rogue script which has automated attempts to gain access to the XML-RPC interface using common usernames and passwords.
“The wordlists associated with this campaign contain small sets of very common passwords. However, the script includes functionality to dynamically generate appropriate passwords based on common [password] patterns,” researchers said. “If the brute force script was attempting to log on to example.com as the user alice, it will generate passwords like example, alice1, alice2018, and so on. While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets.”
Veenstra said WordPress moved to restrict scripts (and people) from systematically guessing XML-RPC interface passwords in 2015. Prompting the move was a similar brute-force password attack launched against the API. With the launch of WordPress 4.4 (released in 2015) attackers were stymied. But the patch was released “quietly” and isn’t disclosed in the version number documentation, he said.
“Even if a site is on the latest security release of a WordPress branch from 4.3 and older, it can be vulnerable to this attack method,” the researcher said.
For that reason, attackers are using script to identify vulnerable versions of WordPress ripe for target.
Wordfence researchers said they were able to capture requests sent from three of the four C2 servers that further revealed the attack chain.
“[Normally it would] be very difficult to track the central C2 servers behind it all. We were fortunate, though, that the attacker made some mistakes in their implementation of the brute force scripts,” Wordfence said. “Since the scripts each make use of wordlists stored on the same infected WordPress site, they include functionality to regenerate these wordlists if necessary.”
Researchers said that in some cases the attacker’s scripts did not contain wordlists, to be used in brute-force password attacks. Under that scenario, the wordlist would be downloaded from the C2 server. The download helped researchers identify the C2’s internet protocols, and subsequently the login screen became easily discoverable.
Using other tools, such as app security tool Burp Suite, researchers were able to bypass anti-mitigation techniques used by attackers, such as login redirects, and browse the interface of the C2 application.
“Contained within the interface was a number of features, including the ability to access a list of ‘slaves’, which referred to the infected WordPress sites containing brute force scripts,” he said. From there researchers were able to connect the dots between the relationship between the servers, proxy servers and “slave” sites.
“Each server contained a file in its webroot named proxy.txt. This file contains a list of nearly ten thousand SOCKS proxy addresses, with IP addresses and ports. These IP addresses coincided with the proxy servers we had previously identified, suggesting the C2 uses this file to randomly select a proxy when issuing each attack. We identified 14,807 proxy servers,” researchers wrote.
Wordfence is urging users to update to WordPress 4.4 and implement restrictions and lockouts for failed logins.
Latest Jobs
-
- Infrastructure (Network / Security) Engineer | West London commutable | Permanent
- London
- Apply today
-
Infrastructure (Network / Security) Engineer | West London commutable | Permanent This is an in house opportunity. Looking for someone that has on prem / data center experience MUST be a currently hands on config, Install, upgrade, troubleshooting experience Routing, Switching, Network Security (firewall, IDS etc), Microsoft Active Directory / 365. VMWare Scripting / automation experience wanted. Python, Powershell etc Must be commutable to West London twice a week. Visa sponsorship not available. Apply today for more information Book a call via this link https://calendly.com/d/crqf-t28-7tb
-
- Identity & Access Management Architect
- Edinburgh
- Upto £95000 plus bonus and benefits
-
Location: Edinburgh | Hybrid Working | Permanent Are you an experienced Identity & Access Management professional with a passion for designing and implementing cutting-edge security solutions? We are looking for a Lead Architect, where you’ll play a key role in helping clients enhance their IAM capabilities, protect critical data, and navigate complex security challenges. About the Role As a Lead Architect, you will be responsible for shaping and delivering IAM strategies, designing robust security solutions, and driving long-term digital transformation. You’ll leverage your expertise to provide strategic guidance on areas such as: Identity Governance & Administration (IGA) Privileged Access Management (PAM) Access Management (AM) Entitlement Management Directories & Authentication Solutions You will have the opportunity to work with innovative technologies and frameworks, ensuring that businesses can securely manage access to critical assets while enabling growth. What You’ll Be Doing Providing subject matter expertise in IAM and leading transformation projects for clients Developing IAM roadmaps, operating models, and governance frameworks Driving innovation by integrating IAM capabilities into wider digital transformation strategies Building and maintaining strong relationships with clients and stakeholders Designing and implementing scalable IAM solutions to meet business needs What We’re Looking For Proven experience in IAM strategy, solution architecture, or assurance Strong leadership skills with experience guiding technical teams Ability to work in a client-facing role, delivering clear communication and insights A technology-focused, innovative mindset with strong business acumen Willingness to work from our Edinburgh office 2-3 days per week
-
- Security Architect - Cloud - Consultancy London
- London
- N/A
-
Security Architect with a focus into Cloud (AWS, Azure or Google Cloud Platform) needed. You must have client facing consultancy experience. This mean you must have experience working with clients helping them to meet their security design needs. That could include working with existing internal teams to understand, review and mitigate / uplift existing Cloud Security designs, or perhaps helping clients set out / understand their current needs and deliver their cloud security strategy. (Or anything in between) Technical knowledge is of course essential but working with clients to understand and solve their Cloud Security design challenges is vital. You must obviously have a current history working as a cloud security architect. You will need to be commutable to London. Whilst a hybrid role the expectation is 3 days a week in the office / meeting clients. International relocation or Visa sponsorship isn’t available for this role. Apply on this page and arrange a call here https://calendly.com/d/crpz-m7j-wyx