20,000-strong WordPress botnet found attacking other WordPress sites

• The botnet was found targeting WordPress sites with brute force attacks.
• The attackers were found using dictionary attacks to gain unauthorized access to the targeted sites.

Wordpress sites have long been a lucrative target for large-scale botnet attacks. One such case has recently come into light and involves a network of over 20,000 infected WordPress sites launching attacks against other WordPress sites.

Defiant, the makers of the WordPress security plugin Wordfence, discovered this new massive botnet. The attackers were found using dictionary attacks, which involves a hacker repeatedly attempting to log in, using varying username and password combinations to gain access to a targeted site.

The botnet attack chain

“The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru. They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites,” Wordfense researchers wrote in a blog.

The command and control servers were designed to send attack instructions to a network of over 14,000 Best-Proxies[.]ru proxy servers. This was followed by the injection of malicious brute force scripts into the already-infected sites. The malicious scripts used employed techniques like dynamic wordlist generation and multicall functionality to perform the dictionary attacks.

“If the brute force script was attempting to log on to example.com as the user alice, it will generate passwords like example, alice1, alice2018, and so on. While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets,” the researchers added.

The multicall functionality allows the attackers to carry out multiple password attempts with just a single request, thus, greatly increasing the speed of their attacks.

Locating the botnet

Normally, it is difficult for researchers to figure out the location of the attackers’ C2 servers, especially in cases where cybercriminals hide their C2 servers behind proxies. However, in this case, the attackers made some mistakes that allowed Wordfence researchers to identify the main C2 servers, as well as the connections to Best-Proxies[.]ru proxy servers.

The attackers made mistakes in the brute force scripts, as well as in implementing the authentication systems for the botnet’s administration panel. This gave the researchers a chance to sneak into their operations and gain insights.

The researchers have shared the information gained from the investigation with the law enforcement for taking further actions. They also contacted the hosting providers used by the attackers. However, the botnet continues to be actively operating, thanks to the policies of HostSailor, the bulletproof hosting provider used by the attackers.

How to protect your site?

In this case, the researchers noted that since the brute force attack is directed at the WordPress XML-RPC authentication mechanism, changes to the admin panel cannot prevent the attack. Site owners are instead advised to use security plugins which can block such brute force attacks. Performing regular security audits for your site is also a recommended practice.

The WordPress framework has also previously been targeted for creating large botnets, starting way back in 2013. Despite such attacks, many site administrators do not take the necessary security measures, which has lead to continued attacks.