Password-cracking botnet has taken over WordPress sites to attack using the visitor's browser
Researcher Denis Sinegubko concludes that 41,800 passwords are being attempted per-site.
As reported by Ars Technica, cybersecurity researcher Denis Sinegubko has been monitoring ongoing website hacking activities for a long time. Now, he has identified a major pivot from crypto wallet drainers to brute-force password-cracking attacks on WordPress sites. Why is this happening, what does it mean, and what can you, as an end user, do? We'll dive into all of the need-to-know information right away below.
First, let's talk "Why." Earlier in February, Sinegubko, writing for Sucuri's blog, discussed an increase in "web3 crypto malware," particularly malware used to inject crypto drainers into existing sites or use phishing sites for the same purpose.
These new attacks function differently, and are instead utilizing visitors' PCs for en masse password cracking attempts. The likely reason for this divergence in approach is because it will take a very long time for the active "crypto drainers" to actually turn a profit, if they even manage to do so before getting blocked.
As Sinegubko says, "This is how thousands of visitors across hundreds of different websites unknowingly and simultaneously try to bruteforce thousands of other third-party WordPress sites. And since the requests come from the browsers of real visitors, you can imagine this is a challenge to filter and block such requests."
While the original write-up provides the full gruesome details of the hack and how it works, the gist of what you need to know is quite simple.
Any infected WordPress site can have its visiting users (or their browsers) put to automated work on guessing author or admin passwords for other WordPress sites. Attackers are estimated to be guessing, with over 41,800 passwords for each impacted site. However, only one of the thousands of sites checked in the original Securi blog post was compromised with this method.
You don't need to do too much as an end user to avoid this. Keep your passwords secure, and if you don't trust the website you're visiting, NoScript can be an essential solution to prevent these types of exploits. AdBlockers may or may not do the job as well, but NoScript is as harsh as the solutions get.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
For WordPress admins and those concerned about this, verify that none of your passwords, especially system-critical passwords, are default or lazily set in any way. Proper password practice and firewalling your WordPress admin page and "xmlrpc.php" file are the recommended solutions for WP site owners who want to get ahead of this.
Christopher Harper has been a successful freelance tech writer specializing in PC hardware and gaming since 2015, and ghostwrote for various B2B clients in High School before that. Outside of work, Christopher is best known to friends and rivals as an active competitive player in various eSports (particularly fighting games and arena shooters) and a purveyor of music ranging from Jimi Hendrix to Killer Mike to the Sonic Adventure 2 soundtrack.
-
Vanderlindemedia It's time devs, webdesigners, majority of folks, stop using wordpress, and look for serious alternatives.Reply
I host websites as a profession other then designing or doing marketing. One thing i noticed is the amount of resources required, just to run wordpress, and just to spawn up one page.
As a countermeasure you need tough tools like litespeed cache, redis object cache, and additional use of Cloudlinux in order to cap or limit users whenever they exceed their resources in such attacks. Let alone the sheer amount of updates that can brick your website just like that.
Roughly 50 to 60% by now of total or complete server traffic or consumed resources, is purely wordpress or noise caused by it. It's a terrible product from a technical standpoint. -
digitalgriffin
The problem isn't word press. It's people using weak passwords. This can happen to any website with file sharing.CmdrShepard said:Ah, Wordpress... the gift that keeps giving.