Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Massive Botnet-powered Brute Force Attack Targeting WordPress Installations

Last week, reports surfaced of brute force attacks targeting a large number of WordPress blogs scattered across the Internet. The attacks are still ongoing, with attackers launching brute force attacks against WordPress administrative logins using the username “admin” and trying combinations of thousands of passwords to gain unauthorized access.

Last week, reports surfaced of brute force attacks targeting a large number of WordPress blogs scattered across the Internet. The attacks are still ongoing, with attackers launching brute force attacks against WordPress administrative logins using the username “admin” and trying combinations of thousands of passwords to gain unauthorized access.

If attackers are able to successfully compromise WordPress sites, they can further conduct malicious activity such as infect pages with code in order to spread malware.

Matthew Prince, CEO of CloudFlare, a web site security firm, told SecurityWeek that on Friday its platform was blocking as many as 60 million malicious requests per hour.

“Based on our scale, that suggests that Internet-wide the botnet is launching around 2 billion requests per hour,” Prince said. “Unfortunately, that’s a high enough volume to test a large number of passwords on a massive percentage of the world’s WordPress installs. Inevitably, even with the attention this attack has received, there will be a lot of compromised accounts as a result.”

Web hosting firm HostGator said they have seen over 90,000 IP addresses involved in this attack. 

US-CERT issued a warning about the attacks on Monday morning as well.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince noted in a blog post. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

Similar techniques were used last fall in attacks against US banks when attackers used a DDoS toolkit called “itsoknoproblembro“that is capable of simultaneously attacking various components of a Website’s infrastructure and flooding the servers with sustained traffic peaking at 70 Gbps at the time.

Any WordPress users should be sure they have a secure password set and ensure their WordPress software is up to date.

However, Marty Meyer, President of Corero Network Security, believes that a strong password and updated software are not enough to combat these powerful attacks.

“To effectively fights attacks such as the WordPress attack we must move that cyber security perimeter beyond the firewall and meet the attacks directly,” Meyer told SecurityWeek. “Yes, having the default “admin” as your user name and simple password is never a good idea, but from a server level so much more can be done to protect website owners from such malicious and economically devastating attacks.”

Meyer also explained that because the attack is so strong, typical IP-limiting methods of side stepping such malicious advances are not effective.

“The fact that so many wordpress websites are being ‘scanned’ simultaneously is causing massive overloading on hosting providers’ infrastructure, often bringing entire servers to a halt,” Marc Gaffan of Incapsula told SecurityWeek. “The challenge hosting companies are facing is trying to fend the attack attempts before they reach their infrastructure.”

“The fact of the matter is in today’s fight against cyber-attacks, the battle is no longer at the point of where unwanted traffic meets firewall,” Meyer added.

US-CERT also provided the following guidance to help WordPress administrators secure their content management systems:

• Review the June 21, 2012, vulnerability described in CVE-2012-3791, and follow best practices to determine if their organization is affected and the appropriate response.

• Refer to the Technical Alert on Content Management Systems Security and Associated Risks for more information on securing a web content management system

• Refer to Security Tip Understanding Hidden Threats: Rootkits and Botnets for more information on protecting a system against botnet attacks

• Additional security practices and guidance are available in US-CERT’s Technical Information Paper TIP-12-298-01 on Website Security

Both CloudFlare and Incapsula said their web site security services have been setup to mitigate these attacks.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.