A botnet consisting of over 20,000 WordPress sites is being used to attack and infect other WordPress sites. Once compromised, these new sites are added to the botnet so that they too can be used to perform commands for the attackers.
In new research released by WordPress security firm Defiant, it was discovered that attackers have recruited over 20K WordPress installs into a botnet that can be issued commands to brute force the logins for other WordPress sites on the Internet. Defiant has further stated that between their Wordfence brute-force protection module and IP blacklist, they have blocked over 5 million authentication requests from these attackers.
These brute force attacks target the XML-RPC implementation of WordPress in order to brute force user name and password combinations until a valid account is discovered. XML-RPC is an end point that external users can use to remotely post content to a WordPress site using the WordPress or other APIs. This endpoint is located in the root directory of a WordPress install at the xmlrpc.php file.
The problem with XML-RPC is that in its default implementation it does not perform rate limiting on the amount of API requests that are issued against it. This means that an attacker can sit there all day trying different user names and passwords and nobody would be alerted to it unless they checked the logs.
The anatomy of the attack
This attack is being conducted by a threat actor utilizing four command and control servers (C2) that issue commands to a over 20,000 WordPress site botnet through proxy servers located at the Russian Best-Proxies.ru service. The attackers were using over 14,000 proxy servers offered by Best-Proxies.ru in order to anonymize their C2 commands.
Once the infected WordPress sites received the commands, they would begin to brute force the target’s XML-RPC interface in order to acquire login credentials.
Defiant noticed this attack when they saw a large amount of failed logins from clients that were pretending to be iPhone and Android WordPress clients.
“We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, like wp-iphone and wp-android,” stated Defiant’s research. “Since these applications typically store credentials locally, it was unusual to see a significant amount of failed logins from them, which drew our attention. We identified over 20,000 WordPress slave sites that were attacking other WordPress sites.”
By examining infected sites, Defiant was able to locate the brute force scripts being used. These scripts would accept POST input from the C2 servers that told the script what domains to target and what word lists to use when performing the brute force attacks.
When further examining the script, they saw that the script would accept an URL to retrieve new wordlists if they were missing from the infected site.
This led them to an IP address for one of the C2 servers. Once they gained access they were able to see the various commands that could issues from the server and amount of sites that were part of the botnet.
Defiant is working with law enforcement around the world to notify the infected users and take down the botnet.
Protecting a WordPress site from this attack
To protect yourself from brute force attacks, you need to install a plugin that restricts the amount of failed login attempts an attacker can perform before they are logged out.
There are numerous plugins available that perform this feature, including Defiant’s WordFence plugin that costs $89 per site per year.