Are you wondering what happens to all of the compromised WordPress websites that we cover? Wonder how bad these plugin/core vulnerabilities really are?
Recent news from the security world of WordPress is that a botnet of over 20,000 compromised WordPress websites is being used to attack other WordPress websites. These websites are slowly creeping through the web and compromising other sites, then adding those websites to its botnet numbers.
No. This isn't a post apocalyptic novel. This is the real world. So, let's see how it is that over 20,000 websites are slowly eating away at WordPress site admins.
Let's dive in!
Let's start by saying this. There are probably bigger and more complex WordPress botnets out there. Typically, tracking these massive botnets is difficult, and, according to Defiant (who own WordFence):
"It would typically be very difficult to track the central C2 servers behind it all. We were fortunate, though, that the attacker made some mistakes in their implementation of the brute force scripts."
The +20,000 website botnet was found by security researchers at Defiant, and they published a report at WordFence.com. As it currently stands, many of the websites in this botnet are still active — though Defiant is working with law enforcement to curb them.
So, how does this botnet work?
How it Works
The attacker is using a group of compromised websites to enlist other websites into the botnet. By adding the compromised sites to the botnet, the attacker can gather information, breach data, and continue to enlist more and more websites into its malicious campaign. Anyone who owns one of these websites would probably never notice that their website is being used to attack other websites.
So, what are these botnets doing?
According to WordFence, they're using "dictionary attacks". This means that the botnet is attempting to log into websites by spamming the sites with random usernames and passwords until it generates a correct combination. Of course, that actual spam is a little complicated. The attacker using the botnet is using semi-sophisticated patterns to attempt to guess the correct password.
These are things like:
So, let's say that your WordPress username was Bob24, the botnet would start by inputting your password as Bob24, then Bob24123, then Bob242017, etc. Afterward, the botnet will simply spam the website with password information until it garners a correct result.
So, here's the question. How is it that the botnet can use a brute force technique against WordPress? Surely there's protection against such a simple attack pattern?
The attack abuses WordPress's XML-RPC interface — xmlrpc.php — which allows users to remotely upload files to their WordPress site. Here's the problem: WordPress's XML-RPC setup doesn't restrict the number of API requests issued. That means that the attacker can brute force passwords all-day-long without getting locked out. At the same time, no one is going to be alerted of the requests unless they happen to be looking at their log.
In a sense, the attacker is using an "old school" hacking methodology, simply because WordPress has no good security setup at this level.
So, how did the attacker build this massive botnet?
The Botnets Structure
The zombie websites are controlled using four C2 servers. Luckily, some mistakes made by the attacker clued WordFence into the fact that these servers existed.
These four C2 servers send commands to the +20,000 WordPress websites via multiple proxy servers on the Best-Proxies.ru server. In a sense, this is a sophisticated operation. The attacker sends commands to servers that send commands to proxy servers that send commands to the infected website that sends commands to attack other websites.
The flow would look like this: attacker > C2 servers > Best-Proxies.ru servers > infected WordPress websites > other WordPress websites (target)
So, how did the attacker get access to +20,000 WordPress websites?
It's highly doubtful that the initial attacks used dictionary vulnerabilities. There's a good chance that the attacker used another vulnerability path to get a bulk of the initial sites in order to have the power needed to issue brute force commands.
How Do You Protect Yourself?
As this series of botnets continues to attack websites, you may be wondering how you protect yourself from this botnet (and others like it). To be clear, this is almost certainly not the only massive botnet abusing WordPress's XML-RPC weakness. This is just one that has been found. In fact, your WordPress website or online store may be part of a botnet right now!
Protecting your website from these types of botnets is tough. The best way — though most time consuming — is to check your logs consistently and pay attention to news surrounding WordPress theme and plugin vulnerabilities. Though, to be fair, there are thousands of those yearly, so we understand why that might not be the most accessible solution.
You could also invest in cybersecurity elements, but you'll need a pretty expensive 3rd party setup to combat sophisticated botnet attacks.
We don't have a ton of good news for you in this department. As long as you use WordPress, you are going to be vulnerable to these types of attacks. There's no way to completely distance your website from core vulnerabilities. During times like this, a bunch of firewall and WordPress security firms are going to be pushing their products. But, these firewalls and protection elements aren't foolproof. You should research the pros and cons of each one of them before you make a purchase based on fear.
Of course, you could always switch to another CMS provider (wink wink).
This botnet exposes another serious WordPress flaw. This time, this core vulnerability is putting thousands of websites at risk of brute force attacks. We recommend taking precautions against these types of attacks, especially now that this one is public.
If you're looking to invest in cybersecurity elements for your WordPress website, we urge you to do the research and pick one that best aligns with your site's goals.
We'll keep an eye on this botnet and keep you posted if any similar attacks pop up over the next few months.