The famous American robber Willie Sutton was asked once why he robbed banks. His answer was humorous, direct, and revealing: “Because that’s where the money is.”
For hackers, WordPress sites represent a similar rich vein of opportunity. WordPress is one of the world’s most popular web publishing platforms. Its ease of publishing is popular with smaller businesses and organizations looking to establish a quick and easy presence on the internet.
Unfortunately, that same ease lends itself to insecure web practices, such as web platforms that aren’t properly protected, weak passwords, and lack of administrative controls. The latter can also make it easy for increased lateral movement once an initial web server is compromised. This can greatly increase the scale of damage, making WordPress infrastructure very lucrative for hackers.
Cisco Umbrella threat researchers have been analyzing attacks on various WordPress sites recently. We found some interesting examples of how attackers are compromising WordPress sites. Let’s look into it.
How do attackers compromise a WordPress site?
Generally, what we’ve seen are variations of land-and-expand techniques. Hackers seek opportunities to infiltrate weakly protected WordPress sites, identify associated assets through phishing and other subterfuge, and expand their network of compromised assets for further expansion of opportunities to monetize their activities.
There are several ways to infiltrate WordPress infrastructure. But, generally, we’ve seen attackers progress by these sorts of actions:
- Take control of the WordPress site through brute force attacks, trojans inside themes and plug-ins, and exploitation of poorly protected admin controls
- Host malware
- Host phishing pages that mimic popular brands to collect more information
- Host spam pages to create more intelligence-gathering opportunities
- Most importantly, use the compromised site to attack other WordPress sites
How does an attacker find and select a site to attack?
An attacker can use systems that are designed to scan the internet for vulnerable WordPress sites and then notify the attacker’s command-and-control server.
Another method to discover vulnerable sites for attack is open source domain intelligence. For example, an attacker could find a domain by using Google Dorks.
When our researchers examined the compromised machines, they found a lot of malicious PHP scripts and malware.
First, an attacker would append the malicious code in the index page. So when a customer visits the WordPress site, it redirects to spam pages — or it may trigger the server to do something else.
An example of such spam page redirection follows:
This attack type is not new — we have been seeing attacks like this for a while.
We also observed cases where malware was hosted on the website. In one case, we found a trojan that made contact with the domain detroidcliper[.]at.
This particular domain is a command-and-control server. It receives a lot of queries, with high query volumes reaching a max of 94k queries. We also observed a login panel hosted at this domain, that matches the login panel of Sarwent.
Let’s take a closer look at malicious scripts that were hosted on a compromised WordPress site. Most of them are PHP scripts which are obfuscated heavily. The most commonly used obfuscation method is eval(gzuncompress(base64_decode(Endoded_content)));
After decoding, we found the following script.
This PHP code contains an executable file delivered via Base64 encoding. When the PHP code runs, the executable file executes directly in the memory.
Another function in the PHP code also searches for an exploit in order to perform privilege escalation.
The remainder of the malicious scripts perform various tasks. Some of these redirect to spam sites, give shell access to attackers, and others are used to attempt to compromise other WordPress sites. Generally, the objectives are to collect more intelligence in search of further opportunities to exploit, and compromise more sites to continue the cycle.
A brute force WordPress attack is an ongoing process. On average, a single compromised WordPress site tries to brute force about 2,000 other domains per day. Not every WordPress site will be compromised, but enough WordPress sites have easy-to-guess common passwords to make this type of attack worthwhile. Usually, attackers keep a list of simple passwords and use them to launch a brute force attack on a site.
During an analysis of network traffic, we noticed that one of the compromised sites was contacting another domain continuously.
The domain was styleofphucet[.]at. Surprisingly, this one also has high query volume.
This domain was repeatedly contacted during the same compromise that included network callouts to detroidcliper[.]at.
While we were researching more about this attack, we found a domain that was embedded in pages of many compromised domains. We found that it hosted an open directory that was very revealing. Inside the directory, we found almost all of the WordPress domains related to the attacks.
We observed that a massive amount of random text was collected and stored by the attacker. After closer analysis, we realized that it may be browser history of victims.
Why would an attacker store a random massive list of browser history? Isn’t this strange?
We believe that attackers use this browser history to search in various search engines for vulnerable domains using a bot. Any of those domains may become the target.
Also, the attackers use the sitemap for the pages they have hosted and let the bots crawl them. This way, when a user searches for a website, they get the pages that are hosted by the attackers instead of what they intended to visit.
How can WordPress administrators protect themselves from these kinds of exploits? Whenever a WordPress site is being hosted, the administrator has to make sure that all security requirements are met. So many attacks that are happening today are because of a lack of security controls, use of weak passwords, and because of vulnerable themes and plugins.
Here are some best practices to protect WordPress sites:
- Use a strong password and change it regularly
- Use adequate access controls
- Update plugins and themes
By taking these types of measures, you can reduce the attack surface so that your site is less likely to be compromised.
With Cisco Umbrella, you get instant access to interactive threat intelligence that lets you conduct investigations and uncover attacks before they start. Our recursive DNS servers resolve more than 200 billion requests per day, so we can see the relationships between malware, domains, IPs, and networks across the internet. Our threat analysis learns from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat.
Learn more about how predictive intelligence can make a difference in your ability to stop threats by reading our technical paper, The Role of Predictive Intelligence in the Fight Against Cyber Attacks.
Check out our recent article on threat intelligence to dive into pandemic-themed phishing attacks and uncover how attackers orchestrate sophisticated campaigns to take advantage of the current pandemic.
Possible Compromised sites: