Last week, reports surfaced of brute force attacks targeting a large number of WordPress blogs scattered across the Internet. The attacks are still ongoing, with attackers launching brute force attacks against WordPress administrative logins using the username “admin” and trying combinations of thousands of passwords to gain unauthorized access.
If attackers are able to successfully compromise WordPress sites, they can further conduct malicious activity such as infect pages with code in order to spread malware.
Matthew Prince, CEO of CloudFlare, a web site security firm, told SecurityWeek that on Friday its platform was blocking as many as 60 million malicious requests per hour.
“Based on our scale, that suggests that Internet-wide the botnet is launching around 2 billion requests per hour,” Prince said. “Unfortunately, that’s a high enough volume to test a large number of passwords on a massive percentage of the world’s WordPress installs. Inevitably, even with the attention this attack has received, there will be a lot of compromised accounts as a result.”
Web hosting firm HostGator said they have seen over 90,000 IP addresses involved in this attack.
US-CERT issued a warning about the attacks on Monday morning as well.
“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince noted in a blog post. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”
Similar techniques were used last fall in attacks against US banks when attackers used a DDoS toolkit called “itsoknoproblembro“that is capable of simultaneously attacking various components of a Website’s infrastructure and flooding the servers with sustained traffic peaking at 70 Gbps at the time.
Any WordPress users should be sure they have a secure password set and ensure their WordPress software is up to date.
However, Marty Meyer, President of Corero Network Security, believes that a strong password and updated software are not enough to combat these powerful attacks.
“To effectively fights attacks such as the WordPress attack we must move that cyber security perimeter beyond the firewall and meet the attacks directly,” Meyer told SecurityWeek. “Yes, having the default “admin” as your user name and simple password is never a good idea, but from a server level so much more can be done to protect website owners from such malicious and economically devastating attacks.”
Meyer also explained that because the attack is so strong, typical IP-limiting methods of side stepping such malicious advances are not effective.
“The fact that so many wordpress websites are being ‘scanned’ simultaneously is causing massive overloading on hosting providers’ infrastructure, often bringing entire servers to a halt,” Marc Gaffan of Incapsula told SecurityWeek. “The challenge hosting companies are facing is trying to fend the attack attempts before they reach their infrastructure.”
“The fact of the matter is in today’s fight against cyber-attacks, the battle is no longer at the point of where unwanted traffic meets firewall,” Meyer added.
US-CERT also provided the following guidance to help WordPress administrators secure their content management systems:
• Review the June 21, 2012, vulnerability described in CVE-2012-3791, and follow best practices to determine if their organization is affected and the appropriate response.
• Refer to the Technical Alert on Content Management Systems Security and Associated Risks for more information on securing a web content management system
• Refer to Security Tip Understanding Hidden Threats: Rootkits and Botnets for more information on protecting a system against botnet attacks
• Additional security practices and guidance are available in US-CERT’s Technical Information Paper TIP-12-298-01 on Website Security
Both CloudFlare and Incapsula said their web site security services have been setup to mitigate these attacks.