Brute-Force amplification attacks on WordPress rely on XML-RPC

Security experts at Sucuri have uncovered threat actors abusing an XML-RPC method to run Brute-Force amplification attacks on WordPress websites.

According to the experts at security firm Sucuri, threat actors are exploiting the XML-RPC protocol implemented by WordPress and other popular content management systems to run brute-force amplification attacks.

The XML-RPC protocol allows users to execute multiple methods within a single request by using the “system.multicall” method.

When attackers run a brute-force attack on WordPress websites to guess the admin password they can be easily detected and repelled thanks to the alert raised by the “wp-login.php” login page.

By using the “system.multicall” method, the attackers can make several attempts in a single request, 3 or 4 HTTP requests are enough to try thousands of passwords avoiding detection of security solutions.

“One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request.” states the blog post published by Sucuri.

Most attacks detected by Sucuri are using the wp.getCategories method within “system.multicall,” which requires a user/pass. Below an example of request used in the attacks:

<methodCall><methodName>system.multicall</methodName>
<member><name>methodName</name><value><string>wp.getCategories</string></value></member>
<member><name>params</name><value><array><data>
<value><string></string></value><value><string>admin</string></value><value><string>demo123</string></value>
..
<member><name>methodName</name><value><string>wp.getCategories</string></value></member>
<member><name>params</name><value><array><data>
<value><string>admin</string></value>
<value><string>site.com</string></value>
…

The experts have highlighted that attackers could rely on many other XML-RPC methods that require a username and a password to run the brute-force amplification attacks.

Sucuri has been monitoring such brute force amplification attacks against WordPress websites since September 10, but the experts noticed a significant increase in the number of requests in October.

On October 7, the number of requests was greater than 60,000, each containing hundreds or thousands of username/password combinations.

To mitigate such kind of brute-force amplification attacks, administrators can block “system.multicall” requests by properly configuring their web application firewall (WAF). Another mitigation option consists in the block of all access to “xmlrpc.php,” but this setting can interfere with common plugins such as the Jetpack plugin.

Pierluigi Paganini

(Security Affairs – Brute-force amplification attack, WordPress)