Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application.
The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a "botnet" of infected computers that's vastly stronger and more destructive than those available today. That's because the servers have bandwidth connections that that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.
"These larger machines can cause much more damage in DDoS [distributed denial-of-service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic," Matthew Prince, CEO of content delivery network CloudFlare, wrote in a blog post describing the attacks.
It's not the first time researchers have raised the specter of a super botnet with potentially dire consequences for the Internet. In October, they revealed that highly debilitating DDoS attacks on six of the biggest US banks used compromised Web servers to flood their targets with above-average amounts of Internet traffic. The botnet came to be known as the itsoknoproblembro or Brobot, names that came from a relatively new attack tool kit some of the infected machines ran. If typical botnets used in DDoS attacks were the network equivalent of tens of thousands of garden hoses trained on a target, the Brobot machines were akin to hundreds of fire hoses. Despite their smaller number, they were nonetheless able to inflict more damage because of their bigger capacity.
There's already evidence that some of the commandeered WordPress websites are being abused in a similar fashion. A blog post published Friday by someone from Web host ResellerClub said the company's systems running that platform are also under an "ongoing and highly distributed global attack."
"To give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers," the blog post reported. "We did a detailed analysis of the attack pattern and found out that most of the attack was originating from [content management systems] (mostly WordPress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories."
The blog post continued:
"Today, this attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IPs used are spoofed), it is making it difficult for us to block all malicious data."
According to CloudFlare's Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username "admin" and 1,000 or so common passwords. He said the attacks are coming from tens of thousands of unique IP addresses, an assessment that squares with the finding of more than 90,000 IP addresses hitting WordPress machines hosted by HostGator.
"At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress websitethe company's Sean Valant wrote. "These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including 'special' characters (^%$#@*)."
Operators of WordPress sites can take other measures too, including installing plugins such as this one and this one, which close some of the holes most frequently exploited in these types of attacks. Beyond that, operators can sign up for a free plan from CloudFlare that automatically blocks login attempts that bear the signature of the brute-force attack.
Already, HostGator has indicated that the strain of this mass attack is causing huge strains on websites, which come to a crawl or go down altogether. There are also indications that once a WordPress installation is infected it's equipped with a backdoor so that attackers can maintain control even after the compromised administrative credentials have been changed. In some respects, the WordPress attacks resemble the mass compromise of machines running the Apache Web server, which Ars chronicled 10 days ago.
With so much at stake, readers who run WordPress sites are strongly advised to lock down their servers immediately. The effort may not only protect the security of the individual site. It could help safeguard the Internet as a whole.
Esecurity news items......
Kaspersky Warns of Bitcoin-Mining Skype Malware
The malware leverages the victim's CPU to mine Bitcoins.
By Jeff Goldman | April 08, 2013 Share
Kaspersky Lab researchers recently came across a Skype malware campaign that leverages infected machines to mine Bitcoins. According to VirusTotal, only 9 of 45 anti-virus solutions currently detect the malware, which Kaspersky identifies as Trojan.Win32.Jorik.IRCbot.xkt.
Most victims currently live in Italy, Russia, Poland, Costa Rica, Spain, Germany and Ukraine -- and there are a lot of them. At this point, according to Kaspersky, the campaign is generating more than 2,000 clicks per hour.
Once a machine is infected, the malware connects to a command and control server in Germany and downloads several other pieces of malware from file hosting site Hotfile.com.
Among other things, the malware turns the infected PC into a Bitcoin miner. "It abuses the CPU of infected machine to mine Bitcoins for the criminal. ... If you see your machine is working hard, using all available CPU resources, you may be infected," writes Kaspersky Lab's Dmitry Bestuzhev.
Hackers Target First National Bank of Mercersburg
The Tunisian Cyber Army claims to have stolen 3,500 customers' clear text login credentials, Social Security numbers, and other data.
The group told E Hacking News' Sabari Selvan that they had uncovered a SQL injection vulnerability in the bank's Web site and were able to retrieve data on 3,500 customers, including clear text login credentials, birthdates, e-mail addresses, mailing addresses, and Social Security numbers.
In a Facebook post on Friday, April 5, the group wrote, "Today is the second wave of #FridayOfHorror attacks as a part of #opBlackSummer and like every Friday there will be more and more victim on your financial sector today the FNBMBG bank got back and 3500 users are in danger so we repeat it again if you don't declare that you will take out your army from our beloved Muhammad lands we will increase the level of our operation which will attack not only your financial sector but the next Friday will be an attack on your airlines (we will work on getting control of your airports computer and you know very well that we can do it) and the electrical sector."
Most Enterprises Are Hit by a Cyber Attack Every Three Minutes
Tech companies exceed the average, experiencing malware events as often as once per minute.
According to FireEye's 2H 2012 Advanced Threat Report, most enterprises currently experience a malware event once every three minutes.
Due to their high concentration of intellectual property, tech companies far exceed the average, experiencing malware events as often as once a minute.
The report states that spear phishing is the most common method of initiating malware attacks, using common business terms such as "UPS" to trick victims into opening attachments. In fully 92 percent of such attacks, the malware is delivered as a ZIP file.
"Tactically, the fact that 92 percent of attachments in email attacks are ZIP files should encourage serious debate on how to filter such files in corporate networks," FireEye researcher Rob Rachwald wrote in a blog post.
The report also examines methods used to avoid detection, such as malware that executes only when the user moves a mouse.
"Today, malware writers spend enormous effort on developing evasion techniques that bypass legacy security systems," FireEye senior director of research Zheng Bu said in a statement. "Unless enterprises take steps to modernize their security strategy, most organizations are sitting ducks."
No comments:
Post a Comment