Mass WordPress Attacks Spread, Brute-Forcing Admin Passwords


Security experts from a variety of firms are warning of a growing attack campaign targeting WordPress websites and are urging businesses and users maintaining sites on the platform to harden their passwords to avoid being compromised.

The attack itself is not sophisticated, according to security experts, but the possibility the cybercriminal behind the campaign could successfully build a large botnet is eye opening. The attacks, identified by Web hosting firm CloudFlare last week, have been successful against tens of thousands of sites. The brute-force attack uses a botnet and automated tool to break into account credentials to gain access to the WordPress administrator account.

WordPress has made it clear that it isn't issuing default account credentials, but a high percentage of individuals is still using "admin" as their username, said HD Moore, the creator of the popular Metasploit penetration testing framework and CSO at vulnerability management vendor Rapid7. Widespread use of weak passwords makes the attack easy to carry out, Moore said.

[Related: 5 Factors Fueling Wave Of Java Attacks]

Attacks targeting WordPress installs are not new, and the techniques are commonly used by financially motivated cybercriminals. Moore and other security experts are dismissive of the strength of the botnet created by the mass compromises. He said the attack is more likely the work of an individual attempting to carry out drive-by attacks, click fraud or other standard financially motivated attacks.

"WordPress is not the best way to build a botnet," Moore said. "Trying to attack another website with DDoS using a .php-based botnet is just fine, but even that is not good for long-term persistence."

The attackers are trying to move from infecting end points, such as laptops, to targeting WordPress servers, said Wade Williamson, a senior security analyst at Palo Alto Networks.

The technique used to carry out the attacks is not that innovative, but chaining together some servers with real horsepower is interesting to threat researchers. Williamson said there is concern that if Web servers at hosting companies were infected, a DDoS attack carried out using them would be more powerful than an attack carried out using a botnet of zombie laptops. If the botnet were to spread into a larger infrastructure, such as colocation facilities and hosting providers, using bigger servers with a lot more pipe for bandwidth changes what a botnet can do, Williamson said.

"As soon as you start getting botnet infrastructure inside a large Internet infrastructure, it does get a little scarier," Williamson said. "With this attack being identified, the odds of a much larger active botnet going down quickly is very likely."

Some providers have identified up to 90,000 IP addresses involved in the latest attack. Cybercriminals typically go after Web application vulnerabilities and flaws within third-party components in the WordPress platform, said Roger Thompson, chief emerging threat researcher at ICSA Labs, a division of Verizon that provides third-party testing and certification of security and health IT products.

WordPress started rolling out support for two-factor authentication, which would make the brute-force attacks almost impossible, say security experts. The latest attacks could be a land grab to infect as many WordPress sites as possible before two-factor authentication is implemented more broadly, Thompson said.

"They've gone and drawn way too much attention to the whole thing," Thompson said. "Obviously they had been organized about it, and it's likely they had an objective in mind, but it is much more normal to do things fairly surreptitiously."

PUBLISHED APRIL 15, 2013