430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Brute-Force amplification attacks on WordPress rely on XML-RPC

Security experts at Sucuri have uncovered threat actors abusing an XML-RPC method to run Brute-Force amplification attacks on WordPress websites. According to the experts at security firm Sucuri, threat actors are exploiting the XML-RPC protocol implemented by WordPress and other popular content management systems to run brute-force amplification attacks. The XML-RPC protocol allows users to […]

ShapedPlugin plugin

Security experts at Sucuri have uncovered threat actors abusing an XML-RPC method to run Brute-Force amplification attacks on WordPress websites.

According to the experts at security firm Sucuri, threat actors are exploiting the XML-RPC protocol implemented by WordPress and other popular content management systems to run brute-force amplification attacks.

The XML-RPC protocol allows users to execute multiple methods within a single request by using the “system.multicall” method.

When attackers run a brute-force attack on WordPress websites to guess the admin password they can be easily detected and repelled thanks to the alert raised by the “wp-login.php” login page.

By using the “system.multicall” method, the attackers can make several attempts in a single request, 3 or 4 HTTP requests are enough to try thousands of passwords avoiding detection of security solutions.

“One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request.” states the blog post published by Sucuri.

Most attacks detected by Sucuri are using the wp.getCategories method within “system.multicall,” which requires a user/pass. Below an example of request used in the attacks:

<methodCall><methodName>system.multicall</methodName>
<member><name>methodName</name><value><string>wp.getCategories</string></value></member>
<member><name>params</name><value><array><data>
<value><string></string></value><value><string>admin</string></value><value><string>demo123</string></value>
..
<member><name>methodName</name><value><string>wp.getCategories</string></value></member>
<member><name>params</name><value><array><data>
<value><string>admin</string></value>
<value><string>site.com</string></value>

The experts have highlighted that attackers could rely on many other XML-RPC methods that require a username and a password to run the brute-force amplification attacks.

Sucuri has been monitoring such brute force amplification attacks against WordPress websites since September 10, but the experts noticed a significant increase in the number of requests in October.

Sucuri Brute-Force Amplification Attacks WordPress-XMLRPC-2015

On October 7, the number of requests was greater than 60,000, each containing hundreds or thousands of username/password combinations.

To mitigate such kind of brute-force amplification attacks, administrators can block “system.multicall” requests by properly configuring their web application firewall (WAF). Another mitigation option consists in the block of all access to “xmlrpc.php,” but this setting can interfere with common plugins such as the Jetpack plugin.

Pierluigi Paganini

(Security Affairs – Brute-force amplification attack, WordPress)