Knock Knock… Who’s There? admin admin and Get In! An Overview of the CMS Brute-forcing Malware Landscape

With more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well-known Content Management Systems (CMS) have been systematically attacked for the past years by different threat actors looking for disposable infrastructure for their attacks.

Brute-forcing is one of the most common types of attacks against CMS. The main goal of this attack is pretty straightforward: to obtain a valid username and password and access the CMS administration panel. Attackers take advantage of the fact that, in most cases, CMSs chosen passwords are very weak. Successfully brute-forced websites are commonly used for hosting C&Cs, scams, and drive-by attacks to spread malware.
The goal of this presentation is threefold. First, we will give an overview of the history and current state of brute-force attacks and discuss the reasons for why WordPress is getting under brute-force attacks more often than the other CMS platforms. Second, we will provide an overview of the different brute-forcing botnets and the techniques they use. Third, we will provide an in-depth analysis of the Sathurbot botnet.
The Trojan Sathurbot first appeared in 2013 [3], and is still active, affecting hundreds of users. To this date, the trojan has 4 known modules: backdoor, downloader, web crawler, and brute-forcing. The downloader module allows the trojan to deliver additional malware to the infected machine such as Boaxxe, Kovter, and Fleercivet. The web crawler module allows the trojan to search in different searching engines for websites using WordPress CMS. The brute-forcing module is what the trojan uses to attempt to login to the WordPress admin panels with different credentials. The case of study focuses on the web crawling and brute-forcing modules with specific insights obtained from a real infection. It provides insights of the infrastructure, target selection, aggressiveness, and an analysis of its success from our observation.

Finally, we will talk about detections methods to identify these type of attacks.

[1] Built With. (2017, April). WordPress Usage Statistics. Retrieved from https://trends.builtwith.com/cms/WordPress
[2] CVE Details. (2017, April). WordPress Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/
[3] Krebs On Security. (2013, April) Brute Force Attacks Build WordPress Botnet. Retrieved from https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

Print Friendly, PDF & Email
Veronica Valeros
Veronica specializes in malware network traffic analysis and network behavioral patterns. Since 2013 she is part of the Cognitive Threat Analytics team, Cisco Systems.
Veronica Valeros

@verovaleros

Woman, hacker, artist, gamer. MatesLab hackerspace founder. Researcher at Cisco Cognitive Analytics. Core team of @swborders. Volunteer at @StratosphereIPS.
@Fox0x01 indeed 🙂 - 3 hours ago