In the wake of Arbor Network's recent discovery of a new botnet that's brute-forcing passwords on WordPress sites, security experts recommend beefing up password security on web applications. Administrators who are concerned that their blog platforms have been compromised should check whether any of the files associated with the application have been modified.
Weak passwords allowed a botnet of 25,000 Windows workstations to successfully brute force username/password combinations for more than 6,000 sites running the popular blogging platform WordPress or the content management system Joomla, according to a recent blog post by Arbor Networks.
The infected machines attempted to log in to thousands of these sites using common usernames, such as "admin" and "administrator," and commonly used passwords, such as "admin," "12345," "pass," and "abc123," as well as the domain name, Matthew Bing, a senior researcher at Arbor Networks, wrote in the blog post.
"These kind of attacks are familiar, and we will continue to see them again and again because they are frequently effective," says Nick Levay, CSO of Bit9, an endpoint and server protection company.
While enterprises focus on making sure that end-users are not sharing account credentials, selecting easy-to-guess passwords or reusing the same one across multiple accounts, many IT administrators are not applying the same best practices to web applications, root accounts and publicly-accessible servers, Levay says. Administrators may enable two-factor authentication and other security measures for end-users, but neglect those layers of protection for the hardware and application levels, he notes.
"While there has been great focus on detection of users visiting compromised sites, there has been comparatively little progress in web server protection and credential management," says James Lyne, global head of security research at Sophos, an endpoint and web security company.
To ensure attackers can't try common passwords or dictionary words to brute-force an account, it's essential to use strong passwords, experts stress. Administrators who know their CMS systems have weak passwords should immediately change the credentials to be longer and more complex. WordPress even offers two-factor authentication with Google Authenticator, Levay notes.
While two-factor authentication may over-complicate the system for regular bloggers and commenters, administrator and super-user accounts should be protected using this technology, he recommends.
The latest version of WordPress also lets site owners call the administrator account something other than "admin," which would make it more difficult for these kinds of automated attacks to succeed because the attacker doesn't know what username to target.
Selling CMS Credentials for Other Attacks
Attackers target web applications, such as content management systems, with brute-force attacks to harvest account credentials. Attackers can then immediately monetize the data by selling it to someone else, Levay says. The buyer may need access to the servers to create web pages hosting exploit kits or to host phishing and other malicious scams.
Web server credentials are particularly valuable in the underground market because they enable attackers to log in and modify content posted online, Lyne says. "Compromising sites to distribute malicious code provides great scale for cybercriminals."
The campaign, dubbed Fort Disco, that Arbor Networks identified is similar to the massive brute-force operation against WordPress sites discovered by other researchers back in April. Fort Disco began in late-May, and while it is possible the earlier campaign was an earlier run for Fort Disco, Arbor Networks does not believe the campaigns are related, Bing says. There was also no evidence the attacks are related to the Brobot toolkit, which the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters has used to launch waves of distributed-denial-of-service attacks against financial services organizations over the past year.
"We don't have any evidence the Fort Disco attacks are related to the QCF/Brobot incidents or phishing campaigns," Bing says. The "best evidence" indicated the attackers were interested in installing drive-by exploit kits on compromised sites, he adds.
Securing Web Servers
If attackers are able to log on to a CMS, they can gain a lot of control over the web server. For example, attackers can upload a PHP file to the site, which can act as a backdoor to the server. Attackers communicate directly with the backdoor file to instruct the server to execute other applications and scripts, launch DDoS attacks against a target, or send spam to a list of addresses.
The attackers can also install an exploit kit on the website, which could trigger a drive-by-download attack on unsuspecting site visitors and infect them with malware.
Cyber-attacks harvesting site credentials to be used in future attacks are a growing trend, Levay says. And once a backdoor has been installed on the server, it's too late to change the password to the CMS because the attackers have already established alternate routes on to the server, he explains. Administrators who suspect unauthorized login attempts should assume the server has been compromised, he adds.
The best way to remediate the servers is to wipe the box and rebuild the system from scratch, but that is often impractical for many organizations, Levay says. But having regular backups makes it less challenging to revert to the uncompromised site. Attack code is frequently just one line injected into an existing file. This can be difficult to track down manually, so being able to restore files from clean backups is critical, Levay notes.
Administrators should revert to a backup and look carefully through new files to remove any unknown or suspicious files, he recommends. "If you don't know what the file is, it is probably malicious," Levay says.
In the case of Fort Disco, Bing identified two files, jm.php and mod_system.php, that appear to be associated with the PHP backdoor installed as part of the attack.
Many enterprises deploy web filtering products to prevent end-users from accidentally landing on malicious sites or accessing questionable content. And endpoint security software can detect when a website tries to download a suspicious file onto the computer, or if a malicious file attempts to execute. But many enterprises have not deployed these technologies to protect web servers, Lyne says. This has serious implications for future attacks.
"I expect automated scanners in bots targeted at the web application layer will be something we see more of," he predicts.