Botnet of infected WordPress sites attack WordPress sites
WordPress sites are being targeted in a series of attacks tied to a 20,000 strong army of infected WordPress websites. The WordPress assault is a widespread password attack carried on through a Russian proxy provider and targets a developer application program interface. The attacks, first identified by the Defiant Threat Intelligence Team, utilized four command-and-control (C2) servers that sends requests to 14,000 proxy servers tied to a Russian internet firm called Best Proxies. According to Mikey, Veenstra, security researcher at Wordfence, "The attackers use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites,†According to Veenstra, the infected WordPress sites, and the C2 sites controlling them, are still online and could be used by other hackers. Wordfence and Defiant are working with law enforcement to secure the vulnerable resources.
The attacks targets WordPress's XML-RPC interface. XML-RPC is an API that Android and iOS mobile app developers use to link apps to WordPress websites. The attack starts with a malicious script which automates attempts to gain access to the XML-RPC interface using common usernames and passwords. The list used in the attack contain small sets of very common passwords. The script also includes the ability to generate passwords based on common patterns. While this is unlikely to succeed on an individual site, it can be effective when used across a large number of targets.
WordPress has been restricting scripts from systematically guessing XML-RPC interface passwords in 2015. What prompted the move was a brute-force password attack in 2015. Wordpress rolled out the patches quietly and without an documentation. Hackers are using scrips to identify the vulnerable versions of WordPress. Normally, it is difficult to track the central servers behind it but researchers were lucky due to flaws in the hackers' brute force scripts. In some cases, the hackers' scripts didn't contain word lists, instead, they were downloaded from a C2 server. This download helped researchers identify the servers. Researchers used security tools to bypass login redirects employed by the hackers and were able to browse the interface of the C2 application. What was discovered in the interface included the ability to access a list of "slaves," which referred to the infected WordPress sites containing brute force scripts.
To protect your site against brute force attacks such as this, don't use common usernames and passwords. The majority of attacks assume people are using the username "admin" since the early versions of WordPress defaulted to this. If you are still using this username, make a new account, transfer all the posts to that account, and change "admin" to a subscriber. If if you have a newer version of Wordpress, don't use common names such as "admin" or "administrator," what is best is to use a normal looking user name for the administrator account. Also use strong passwords that contain a combination upper case, lower case, numbers and symbols. Avoid using any combinations of the user name and avoid using word that can be found in the dictionary. Finally, you can lock down wp-login.php and / or wp-admin. To avoid getting 404 or 401 errors when accessing those pages, you will need to add the following to your .htaccess file: ErrorDocument 401 default.
Brute force attacks password attacks won't be going away anytime soon. Hackers are becoming more sophisticated in their attacks. With tools like Wordpress and cloud computing, it is getting easier for less tech savvy individuals and companies to create websites making it more tempting to hackers. The methods to protect against such attacks aren't new, they have been around for a long time. Website security needs are no different than other security needs and using admin user names and simple passwords is like leaving your keys in your car, you are just inviting someone to take it.