The ‘Game of WordPresses’: Botnet WordPress vs Other WordPress Installs
If Netflix has Game of Thrones, WordPress has a ‘Game of WordPresses’, as 20,000-strong WordPress zombie instances are operating in the Internet attacking other healthy WordPress sites. This huge botnet of infected WordPress installations is in search of other WordPress-based sites to infect next, using the classic but still relevant dictionary-attack to crack passwords of the victim’s WordPress site.
With 20,000 members and still counting, this botnet is able to attempt to crack the admin passwords of other clean WordPress sites 5 million times since researchers from Defiant discovered its existence. Dictionary-attack is a classic way of breaking into a password-protected system by trying out all possible words contained in a dictionary against the password login prompt.
“The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru. They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites. The diagram below illustrates the attack chain,” explained Mikey Veenstra.
The chain of attempts to brute-force the password against clean WordPress should reflect on the admin page of the real owners of the WordPress site that were attacked. It will show varied machines with IP addresses linked with webhosting services, as most of the install base of WordPress are served by the 3rd party webhosting instead of being self hosted.
At the time of this writing, there is no known way for authorities to forcefully take down the command and control servers used by the WordPress botnet. The hackers cleverly signed-up for HostSailor, which is known to provide webhosting service without honoring any take down request from any governments. Defiant has advised WordPress web admins to install security plugins in their WordPress instances in order to block the botnet’s attempt at brute forcing the admin password. These special plugins will serve as firewall that prevents multiple attempts at logging in.
“A great deal of valuable data was gathered as a part of this investigation. Due to the nature of our work, our team maintains contact with a number of law enforcement agencies around the globe. While we typically share a great deal of data on these blog posts, like IP addresses and other indicators of compromise, in this case we have elected to retain some of this information in order to prevent interfering with possible future investigations. In addition to law enforcement, we will be contacting some hosting providers we’ve identified with large numbers of infected “slave” sites. It is our hope that providing this information can help limit the effectiveness of this campaign by reducing the number of active sites launching attacks,” added Veenstra.
It is still not known if WordPress itself will release an emergency update that will prevent the botnet from targeting the clean WordPress sites. With previous issues with WordPress, new updates were released to address specific security concerns within a reasonable time frame.