Threat actors have created a botnet army using 20,000 infected Word Press sites that is, in turn, assaulting other Word Press websites using dictionary-style brute force attacks in an attempt to gain access.
This information was revealed by Wordfence, a Word Press security plugin supplier, yesterday. Wordfence said its plugin has tracked and stopped more than five million malicious authentication attempts associated with this attack campaign in the last 30 days.
Wordfence’s Mikey Veenstra wrote the malicious actors are using a group of four command and control servers to pump out attack orders to 14,000 proxy servers, supplied by the Russian proxy provider best-proxies[.]ru, which in then turn loose the 20,000 Word Press sites on their compatriots. The proxy servers are used to obfuscate the command and control traffic.
“The C2 servers we identified are hosted with providers known in the security community as “bulletproof” hosts. “Bulletproof” refers to hosts that are known for lax (if any) enforcement of abuse policies and legal action, making them a de facto safe haven for malicious activity,” Veenstra said.
Each of the 20,000 enslaved sites is running a script that performs a brute force attack targeting WordPress’s XML-RPC interface at /xmlrpc.php. The methodology tested usernames and password pairs derived from a list of very common passwords and then uses its functionality to dynamically create additional password options based on common patterns. Such as:
“In addition to law enforcement, we will be contacting some hosting providers we’ve identified with large numbers of infected “slave” sites. It is our hope that providing this information can help limit the effectiveness of this campaign by reducing the number of active sites launching attacks,” he said.