Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Massive Botnet-powered Brute Force Attack Targeting WordPress Installations

Last week, reports surfaced of brute force attacks targeting a large number of WordPress blogs scattered across the Internet. The attacks are still ongoing, with attackers launching brute force attacks against WordPress administrative logins using the username “admin” and trying combinations of thousands of passwords to gain unauthorized access.

Last week, reports surfaced of brute force attacks targeting a large number of WordPress blogs scattered across the Internet. The attacks are still ongoing, with attackers launching brute force attacks against WordPress administrative logins using the username “admin” and trying combinations of thousands of passwords to gain unauthorized access.

If attackers are able to successfully compromise WordPress sites, they can further conduct malicious activity such as infect pages with code in order to spread malware.

Matthew Prince, CEO of CloudFlare, a web site security firm, told SecurityWeek that on Friday its platform was blocking as many as 60 million malicious requests per hour.

“Based on our scale, that suggests that Internet-wide the botnet is launching around 2 billion requests per hour,” Prince said. “Unfortunately, that’s a high enough volume to test a large number of passwords on a massive percentage of the world’s WordPress installs. Inevitably, even with the attention this attack has received, there will be a lot of compromised accounts as a result.”

Web hosting firm HostGator said they have seen over 90,000 IP addresses involved in this attack. 

US-CERT issued a warning about the attacks on Monday morning as well.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince noted in a blog post. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

Similar techniques were used last fall in attacks against US banks when attackers used a DDoS toolkit called “itsoknoproblembro“that is capable of simultaneously attacking various components of a Website’s infrastructure and flooding the servers with sustained traffic peaking at 70 Gbps at the time.

Advertisement. Scroll to continue reading.

Any WordPress users should be sure they have a secure password set and ensure their WordPress software is up to date.

However, Marty Meyer, President of Corero Network Security, believes that a strong password and updated software are not enough to combat these powerful attacks.

“To effectively fights attacks such as the WordPress attack we must move that cyber security perimeter beyond the firewall and meet the attacks directly,” Meyer told SecurityWeek. “Yes, having the default “admin” as your user name and simple password is never a good idea, but from a server level so much more can be done to protect website owners from such malicious and economically devastating attacks.”

Meyer also explained that because the attack is so strong, typical IP-limiting methods of side stepping such malicious advances are not effective.

“The fact that so many wordpress websites are being ‘scanned’ simultaneously is causing massive overloading on hosting providers’ infrastructure, often bringing entire servers to a halt,” Marc Gaffan of Incapsula told SecurityWeek. “The challenge hosting companies are facing is trying to fend the attack attempts before they reach their infrastructure.”

“The fact of the matter is in today’s fight against cyber-attacks, the battle is no longer at the point of where unwanted traffic meets firewall,” Meyer added.

US-CERT also provided the following guidance to help WordPress administrators secure their content management systems:

• Review the June 21, 2012, vulnerability described in CVE-2012-3791, and follow best practices to determine if their organization is affected and the appropriate response.

• Refer to the Technical Alert on Content Management Systems Security and Associated Risks for more information on securing a web content management system

• Refer to Security Tip Understanding Hidden Threats: Rootkits and Botnets for more information on protecting a system against botnet attacks

• Additional security practices and guidance are available in US-CERT’s Technical Information Paper TIP-12-298-01 on Website Security

Both CloudFlare and Incapsula said their web site security services have been setup to mitigate these attacks.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...