WordPress users are facing another security worry following the discovery of a massive botnet. Attackers have infected 20,000 WordPress sites by brute-forcing administrator usernames and passwords. They are then using those sites to infect even more WordPress installations.
The botnet, which WordPress security company Wordfence discovered last week, infects sites using a feature known as XML-RPC. This is an interface that lets one piece of software make requests to another by sending it remote procedure calls (RPCs) written in the extensible markup language (XML).
Legitimate blogging programs use this feature to send blog content for WordPress sites to format and publish. Attackers can also use it to try multiple passwords and then manipulate a site if they gain access.
The attackers wrote a script that would launch an XML-RPC-based brute force attack, automatically generating a range of usernames and passwords in the hope that one of them will work and give it access to a privileged account. At that point, they can use that account to infect that site with the botnet software.
The password-building mechanism takes lists of usernames along with lists of common passwords and uses simple algorithms to create new password combinations from the usernames. So it might try the username ‘alice’ with passwords like alice123, alice2018, and so on. It might not be very effective on a single site, but when used across many sites, the attackers’ chances of success increase, says Wordfence.
Like any botnet, infected sites take instruction from the bot herders via a command and control (C2) server. In this case, however, the C2 infrastructure is relatively sophisticated. The attackers send their instructions to infected sites from one of four C2 servers that communicate via proxy servers, chosen from a large Russian list. Three of the C2 servers are hosted by HostSailor, which cybersecurity journalist Brian Krebs has reported on in the past.
While the C2 servers presented a login screen, Wordfence found that they did not, in fact, require authentication and it was able to view details of the infected slave machines, along with the proxy lists used to access them.
How can site owners protect themselves from this kind of brute force attack? Companies like Wordfence use anti-brute force techniques to restrict the number of login attempts and lock out attackers altogether after too many incorrect passwords.
Attackers might try to get around these techniques by switching proxies and/or user agent strings with each request, but these products can also stop them by blocking access from known malicious or infected sources using real-time blacklists.
These are all great extra layers of security to have, but a simpler and equally effective way to stop someone brute-forcing your account is to use a strong password and keep it safe in a password manager. Using a weird username that you won’t find on a regular list of names doesn’t hurt, either. It makes user credentials almost impossible to guess. Complement this with multi-factor authentication, preferably using a dedicated mobile authentication app rather than an SMS authorization, for extra protection.
Another effective security measure is to restrict administrative account access to specific IP addresses or to clients with specific digital certificates. It is also good practice to keep your WordPress installation as up to date as possible, too.
At present, the attackers seem to be in botnet-building mode, doing little more than growing the number of WordPress sites under their control. What will they do with these infected sites? It is difficult to tell, but a past Wordfence survey suggests that sending spam, hosting phishing pages, and launching malicious redirects are among the most popular WordPress attacks.
If you have a WordPress site, it would be worth checking your audit logs for any suspicious activity, checking your password security, and turning on multi-factor authentication (MFA or 2FA).
2 comments on “Massive botnet chews through 20,000 WordPress sites”
One of my WordPress sites has been under regular attack for over a year. I use very long passwords so they never had a hope of success. After a while I changed the admin userid (they had discovered my earlier complex userid) but they continued attacking the original, now non-existant, userid (sure sign of a bot). In mid-October the attacks stopped. Most attacks were from IP: 126.96.36.199, but others were also used.
Maybe “sending spam, hosting phishing pages, and launching malicious redirects are among the most popular WordPress attacks”, but I think we should be much more alert to the possibility, indeed, probability, of government sponsored attacks, military and commercial, especially where covert network building is going on. We used to recommend regular changes of passwords, then decided that was of less value than it seemed. Maybe now we should recommend regular changes of administrative userids as well as minimum specification passwords. Maybe we should consider enforced userid and password changes, pasword standards, and 2FA.
2 days old news,:when we talk about security inform people swiftly is very important