Categories: Breaking NewsCyber CrimeHacking

Brute-Force amplification attacks on WordPress rely on XML-RPC

Security experts at Sucuri have uncovered threat actors abusing an XML-RPC method to run Brute-Force amplification attacks on WordPress websites.

According to the experts at security firm Sucuri, threat actors are exploiting the XML-RPC protocol implemented by WordPress and other popular content management systems to run brute-force amplification attacks.

The XML-RPC protocol allows users to execute multiple methods within a single request by using the “system.multicall” method.

When attackers run a brute-force attack on WordPress websites to guess the admin password they can be easily detected and repelled thanks to the alert raised by the “wp-login.php” login page.

By using the “system.multicall” method, the attackers can make several attempts in a single request, 3 or 4 HTTP requests are enough to try thousands of passwords avoiding detection of security solutions.

“One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request.” states the blog post published by Sucuri.

Most attacks detected by Sucuri are using the wp.getCategories method within “system.multicall,” which requires a user/pass. Below an example of request used in the attacks:

<methodCall><methodName>system.multicall</methodName>
<member><name>methodName</name><value><string>wp.getCategories</string></value></member>
<member><name>params</name><value><array><data>
<value><string></string></value><value><string>admin</string></value><value><string>demo123</string></value>
..
<member><name>methodName</name><value><string>wp.getCategories</string></value></member>
<member><name>params</name><value><array><data>
<value><string>admin</string></value>
<value><string>site.com</string></value>
…

The experts have highlighted that attackers could rely on many other XML-RPC methods that require a username and a password to run the brute-force amplification attacks.

Sucuri has been monitoring such brute force amplification attacks against WordPress websites since September 10, but the experts noticed a significant increase in the number of requests in October.

On October 7, the number of requests was greater than 60,000, each containing hundreds or thousands of username/password combinations.

To mitigate such kind of brute-force amplification attacks, administrators can block “system.multicall” requests by properly configuring their web application firewall (WAF). Another mitigation option consists in the block of all access to “xmlrpc.php,” but this setting can interfere with common plugins such as the Jetpack plugin.

Pierluigi Paganini

(Security Affairs – Brute-force amplification attack, WordPress)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.