Attackers Target Weak Web App Passwords

Experts Offer Insights on Thwarting Botnet

By , August 20, 2013.
Attackers Target Weak Web App Passwords

In the wake of Arbor Network's recent discovery of a new botnet that's brute-forcing passwords on WordPress sites, security experts recommend beefing up password security on web applications. Administrators who are concerned that their blog platforms have been compromised should check whether any of the files associated with the application have been modified.

See Also: Fighting Financial Fraud: Mitigation for Malware, Phishing & DDoS Attacks

Weak passwords allowed a botnet of 25,000 Windows workstations to successfully brute force username/password combinations for more than 6,000 sites running the popular blogging platform WordPress or the content management system Joomla, according to a recent blog post by Arbor Networks.

The infected machines attempted to log in to thousands of these sites using common usernames, such as "admin" and "administrator," and commonly used passwords, such as "admin," "12345," "pass," and "abc123," as well as the domain name, Matthew Bing, a senior researcher at Arbor Networks, wrote in the blog post.

"These kind of attacks are familiar, and we will continue to see them again and again because they are frequently effective," says Nick Levay, CSO of Bit9, an endpoint and server protection company.

While enterprises focus on making sure that end-users are not sharing account credentials, selecting easy-to-guess passwords or reusing the same one across multiple accounts, many IT administrators are not applying the same best practices to web applications, root accounts and publicly-accessible servers, Levay says. Administrators may enable two-factor authentication and other security measures for end-users, but neglect those layers of protection for the hardware and application levels, he notes.

"While there has been great focus on detection of users visiting compromised sites, there has been comparatively little progress in web server protection and credential management," says James Lyne, global head of security research at Sophos, an endpoint and web security company.

To ensure attackers can't try common passwords or dictionary words to brute-force an account, it's essential to use strong passwords, experts stress. Administrators who know their CMS systems have weak passwords should immediately change the credentials to be longer and more complex. WordPress even offers two-factor authentication with Google Authenticator, Levay notes.

While two-factor authentication may over-complicate the system for regular bloggers and commenters, administrator and super-user accounts should be protected using this technology, he recommends.

The latest version of WordPress also lets site owners call the administrator account something other than "admin," which would make it more difficult for these kinds of automated attacks to succeed because the attacker doesn't know what username to target.

Selling CMS Credentials for Other Attacks

Attackers target web applications, such as content management systems, with brute-force attacks to harvest account credentials. Attackers can then immediately monetize the data by selling it to someone else, Levay says. The buyer may need access to the servers to create web pages hosting exploit kits or to host phishing and other malicious scams.

Web server credentials are particularly valuable in the underground market because they enable attackers to log in and modify content posted online, Lyne says. "Compromising sites to distribute malicious code provides great scale for cybercriminals."

The campaign, dubbed Fort Disco, that Arbor Networks identified is similar to the massive brute-force operation against WordPress sites discovered by other researchers back in April. Fort Disco began in late-May, and while it is possible the earlier campaign was an earlier run for Fort Disco, Arbor Networks does not believe the campaigns are related, Bing says. There was also no evidence the attacks are related to the Brobot toolkit, which the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters has used to launch waves of distributed-denial-of-service attacks against financial services organizations over the past year.

"We don't have any evidence the Fort Disco attacks are related to the QCF/Brobot incidents or phishing campaigns," Bing says. The "best evidence" indicated the attackers were interested in installing drive-by exploit kits on compromised sites, he adds.

Securing Web Servers

Follow Fahmida Y. Rashid on Twitter: @ITsecuritytech

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Cybersecurity's Growing Pains

The future of cybersecurity may be full of surprises. But these twists will cause a big sensation,...

Latest Tweets and Mentions

ARTICLE Cybersecurity's Growing Pains

The future of cybersecurity may be full of surprises. But these twists will cause a big sensation,...

The ISMG Network