A large WordPress botnet is currently attacking other blogs powered by the platform. It is particularly worrying as it has already gained a large number of recruited victims. What we know so far is that the network is tunneled through a Russian proxy service provider, possibly indicating that the hackers might be of Russian origin.
The WordPress Botnet May Be After Your Blog
A new WordPress botnet is now attacking blogs powered by the popular platform in an attempt to take down as many as possible. What we know so far is that it has been able to gain a large number of recruited machines. As its size is growing with every infected blog we anticipate that it might become a very powerful weapon for other crimes as well. The security report reveals that it uses an advanced infection algorithm, possibly being the product of careful planning.
An analysis of the way the victim sites are attacked shows that method of use is the brute force attack. The hacking attacks are done against the XML-RPC interface which is used to authenticate with the blogs. In order to make the requests more believable to the system various user agents are used during the access attempts: iPhone and Android devices. So far the statistics shows that over 20,000 WordPress slave sites are currently part of the botnet. The password sets that are used to gain entry to the infected systems are not only common and weak credentials, but also using common patterns. Using a multicall approach the WordPress botnet is able to gain entry into many systems at a significantly faster pace than traditional intrusion attempts.
A defining characteristic of this threat is its complex attack chain. The intrusion attempts are done via the recruited botnet slave hosts and not the back-end servers which are operated by the malicious actors. The instructions for the offensive is sent via a network of proxy servers which makes it very difficult to track the original source of the attacks. The proxy servers are run from a Russian provider which possibly indicates that the malicious operators may be from Russia.
Four separate command and control servers were identified showing that the infected hosts can also be operated from different collectives. One of the hypotheses behind its operations and mode of operations is that it can be rented to other hackers via the underground markets.
As the WordPress botnet is still active its important for administrators to take the necessary precautions to protect their sites. The top three security tips in this situation are the following:
- Implement restrictions and temporary lockouts fo failed login attempts.
- Monitor access logs and look out for any suspicious behavior or traffic.
- Ensure that a strong username and password combination along with CAPTCHA are implemented for all WordPress accounts.