Hackers controlling a "botnet" of over 20,000 infected WordPress sites are attacking other WordPress sites, according to a report by the Defiant Threat Intelligence team. The botnets have been trying to create up to five million malicious WordPress logins in the last thirty days.
According to the report, the hackers behind this attack use four command and control servers to send requests to over 14,000 proxy servers of a Russian provider. These proxies are then used to anonymize traffic and send instructions and a script to the infected WordPress "slave" pages, which are aimed at which of the other WordPress sites should eventually be targeted. The servers behind the attack are still online, targeting WordPress's XML-RPC interface primarily to try out a combination of usernames and passwords for administrator logins.
"The wordlists associated with this campaign contain small sets of very common passwords. However, the script does have capabilities to dynamically generate passwords based on common patterns … Although unlikely to be used on a particular site, this tactic can be very effective when used on a large number of targets, "explains The Defiant Threat Intelligence. team
Attacks on the XML-RPC interface are not new and date from 2015. If you're worried that your WordPress account may be affected by this attack, the Defiant Threat Intelligence team will report that the best way to limit and block errors Activated logins. You can also use WordPress plugins that protect against brute force attacks, such as the Wordfence plugin.
The Defiant Threat Intelligence team has shared information about the attacks with law enforcement agencies. Unfortunately, ZDNet reports that the four command and control servers can not be taken offline because they are hosted on a provider that does not meet deactivation requirements. Researchers, however, will contact hosting providers identified with the infected slave sites to limit the scope of the attack.
Some data has been omitted from the original report of this attack because it can be exploited by others. Using the proxies also makes it difficult to find the location of the attacks. However, the attacker made mistakes that allowed the researchers to access the interface of the command and control servers behind the attack. All of this information is considered "very valuable data" for the investigators.