Wordfence, a Security firm has reportedly uncovered a massive Brute force attack launched on WordPress sites.
This attack reportedly infected over 20,000 WordPress sites and turned each of these into an ‘Attacker site’ that attacks other WordPress sites. Although the motive of this attack is unknown, the courses of events indicate a well-planned cyber attack.
The Two-Step Attack
In the first phase of this attack, the Hacker attacked WordPress sites through four C2 or Command to Control Servers. Consequently, the Attackers used these C2 Servers to send requests to around 14,000 Russian proxies.
Next, the Hackers infected over 20,000 WordPress websites with a malicious ’Attack Script’, which turned each of these sites into an attacker site. Finally, each of these 20,000 WordPress websites attacked other WordPress websites, using brute force.
Presently, there are several websites that are infected with the ‘Attack Script’, turning them into attacker sites that have been attacking other websites. Wordfence, the Security firm claims to have blocked over 5 million authentication attempts with its Brute Force Protection and real-time IP Blacklist.
The attacker reportedly made some mistakes, due to which the security firm was able to track down the C2 servers despite several layers of shielding employed by the Attacker. According to reports, three of the C2 Servers belong to HostSailor, and one belongs to Selectel.
According to a report published by WordFence, best-proxies[.]ru has been identified as the service provider, that made these 14,000 proxy servers available. Wordfence was able to track down the IP on its Firewall due to certain discrepancies in the attack script.
The Cyber Security Firm is presently involved in the process of informing the concerned persons. This includes the Law Enforcement Agencies and hosts of affected WordPress websites so that each of them can take adequate measures to counter the issue.