“WordPress sites are being targeted in a series of attacks tied to a 20,000 botnet-strong army of infected WordPress websites. Behind the WordPress-on-WordPress assault is a widespread brute-force password attack leveraged through a Russian proxy provider and targeting a developer application program interface (API). The attacks, first identified by the Defiant Threat Intelligence Team and reported by Wordfence on Wednesday, utilized four command-and-control (C2) servers that in turn send requests to over 14,000 proxy servers tied to a Russian internet firm called Best Proxies, according to the Wordfence. ‘[The attackers] use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites,’ wrote Mikey Veenstra, a web security researcher at Wordfence, in a post. According to Veenstra, the infected WordPress sites, and the C2 sites controlling them, are still online and could be exploited by additional adversaries. He said Wordfence and Defiant are working with law enforcement to secure the vulnerable resources.”
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.