Since 2018, password-cracking botnets has been targeting WordPress sites. These botnets are made of infected WordPress sites that are then being repurposed to perform brute force attacks on other WordPress sites. The active threat-actors employ the use of the native XML-RPC interface of WordPress to brute-force username/password pairs; the end-goal is to gain access to privileged accounts, and then use the enslaved computer to repeat the process on other machines.
How the Botnet Works
What is a botnet?
A botnet is a network of infected machines, that deploy tactics such as malicious code and remote access, to help spread the infection, while originating from a sole actor.
Russian Origins
The particular botnet in question, works by using a group of four command and control (C2) servers, sending server-side requests to over 14,000 proxy servers, provided by a Russian domain called best-proxies[.]ru. However, some digital-footprints point to server existence in Romania and the Netherlands as well.
These proxy servers are used to anonymize the C2 traffic. The requests are then sent to over 20,000 infected WordPress sites, which are running an attack script. This script attacks targeted WordPress sites by attempting XML-RPC authentication to access privileged accounts.
function createFullRequest($login, $passwords){
$xml = createRequestXML();
for($i = 0; $i < count($passwords); $i++){ $xml = addElementXML($xml, $login, $passwords[$i]); } $request = $xml->saveXML();
return $request;
}
The script itself generates passwords pulled from publicly accessible credential patterns; once a pattern is determined, it will apply said pattern in a brute force test. For instance, if the script is attempting to log on to example.com as the user Alice, it will utilize passwords such as Alice1, Alice2018, and so on. This tactic can be very effective when used at scale across a large number of targets.
The C2 system’s issuing instructions to the script can optionally define $startPass and $endPass variables, which tell the script to only attempt a subset of passwords on a given list, instead of running the entire set. This greatly increases the speed at which the whole system operates.
Similar Attacks
As recent as February 2024, similar attacks have been seen injecting custom malicious JavaScript into WordPress sites unknowingly, causing site visitors to be silently redirected in the background. The hidden redirection points the visitor to a malicious clone of the site, reporting a user name and list of passwords to a getTask method; as a result, the hackers are given a list of credentials that are tried against said accounts; the cycle then continues with other machines, so on and so forth, in a never ending loop of credential requests and results.
const getTaskUrl = 'hxxps://dynamic-linx[.]com/getTask.php';
const completeTaskUrl = 'hxxps://dynamic-linx[.]com/completeTask.php';
It is not yet known where the source of this modern take on the Botnet attack originates from, as the botnet is already quite large, amassing a list of approximately 1,200 effected IPs in just under four days. However, Security Specialists are working toward a solution.
Learn more about this from ars Technica!
How Do You Know?
It’s generally no small task to determine if you’ve been infected, much less the source of infection, as malware by design hides itself thoroughly. The first place to look for infection, with regards to WordPress, is your server/site logs, generally defaulted to the location: C:\inetpub\logs.
Additionally, check within your installation’s Web-Admin, Content and User folders for any recent or suspicious changes.
How to Protect Your WordPress Site
To protect your WordPress site from this type of attack, it’s important to take the following steps:
- Use strong, unique passwords: Make sure that you are using strong, unique passwords for all of your WordPress accounts; this will make it more difficult for the attackers to gain access to your site. Additionally, consider employing 2factor authentication methods to your users’ login.
- Limit login attempts: Consider using a plugin to limit the number of login attempts that can be made to your site; this will help to prevent brute force attacks. Many of these plugins offer further customization beyond limited attempts, such as lockout periods and ip blacklisting.
- Remove unused user accounts: If you are no longer using an account, or you believe an account may be compromised, it’s safest to remove the account entirely, as you can always recreate it later. In addition, if your site is fully setup, consider removing the default admin account as this is the first account tried by hackers in their attempts to bypass your site’s security.
- Keep your WordPress site up to date: Make sure that you are running the latest version of WordPress and that all of your plugins and themes are up to date. By updating on a consistent schedule, you can insure your system loads the current security patches and bug fixes that are included in the update.
- Use a security plugin: Consider using a security plugin to help protect your site. There are many free and paid options available that can help to prevent brute force attacks and provide other security features, such as custom reports and notifications.
We recommend the free plugin Loginizer, which includes brute-force protections and failed login attempt alerting
Conclusion
The recent WordPress password-cracking botnet is a serious threat to WordPress sites. However, that is only the tip of the security iceberg. As more and more computers become infected, from seemingly ‘normal’ websites, malware can travel stealthily behind the scenes. By taking proper precautions, you can protect yourself from this type of attack, as well as countless others.
