WordPress Botnet Infects Blogs in a Large-Scale Attack
NEWS

WordPress Botnet Infects Blogs in a Large-Scale Attack

A large WordPress botnet is currently attacking other blogs powered by the platform. It is particularly worrying as it has already gained a large number of recruited victims. What we know so far is that the network is tunneled through a Russian proxy service provider, possibly indicating that the hackers might be of Russian origin.




The WordPress Botnet May Be After Your Blog

A new WordPress botnet is now attacking blogs powered by the popular platform in an attempt to take down as many as possible. What we know so far is that it has been able to gain a large number of recruited machines. As its size is growing with every infected blog we anticipate that it might become a very powerful weapon for other crimes as well. The security report reveals that it uses an advanced infection algorithm, possibly being the product of careful planning.

An analysis of the way the victim sites are attacked shows that method of use is the brute force attack. The hacking attacks are done against the XML-RPC interface which is used to authenticate with the blogs. In order to make the requests more believable to the system various user agents are used during the access attempts: iPhone and Android devices. So far the statistics shows that over 20,000 WordPress slave sites are currently part of the botnet. The password sets that are used to gain entry to the infected systems are not only common and weak credentials, but also using common patterns. Using a multicall approach the WordPress botnet is able to gain entry into many systems at a significantly faster pace than traditional intrusion attempts.

A defining characteristic of this threat is its complex attack chain. The intrusion attempts are done via the recruited botnet slave hosts and not the back-end servers which are operated by the malicious actors. The instructions for the offensive is sent via a network of proxy servers which makes it very difficult to track the original source of the attacks. The proxy servers are run from a Russian provider which possibly indicates that the malicious operators may be from Russia.

Related:
Online merchants using WordPress as a platform can become victims of a new remote code execution flaw, read our article to learn more
WordPress Bug Endangers WooCommerce Shop Owners

Four separate command and control servers were identified showing that the infected hosts can also be operated from different collectives. One of the hypotheses behind its operations and mode of operations is that it can be rented to other hackers via the underground markets.

As the WordPress botnet is still active its important for administrators to take the necessary precautions to protect their sites. The top three security tips in this situation are the following:

  • Implement restrictions and temporary lockouts fo failed login attempts.
  • Monitor access logs and look out for any suspicious behavior or traffic.
  • Ensure that a strong username and password combination along with CAPTCHA are implemented for all WordPress accounts.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...