Many will have heard of “Chinese Water Torture”, a procedure in which ice-cold water is slowly dripped onto the head of a restrained victim, eventually driving them insane. Zone analysts have long tracked cyber-attacks that bear unexpected similarities to this torture method. Like “water torture”, the attack described below is nothing drastically new, but it is frighteningly effective.
Legacy as flypaper
Let’s start with the keyword XML-RPC (XML Remote Procedure Call), a protocol that allows one application to invoke procedures in another application over the Internet.
More modern tools such as REST (Representational State Transfer) and gRPC (gRPC Remote Procedure Call) have emerged next to XML-RPC. However, it is still provided with extensive support, especially in more “mature” applications. Various popular content management platforms, such as WordPress, Drupal, Magento and others, have historically used it.
At the moment, we are interested in the WordPress context, where XML-RPC is essentially a “legacy”, but it is very widespread due to its default installation. However, the vast majority of WordPress users know nothing about it.
Unfortunately, as we know, any kind of pervasive “legacy tools” are an attractive attack platform for criminals looking for victims in cyberspace.
The ‘xmlrpc.php’ file included by default in WordPress provides them with a fertile ground for this. Design decisions based on now outdated threat models have made this file a favourite of attackers. For instance, it is used to exploit the XML-RPC endpoint in WordPress for password guessing through brute-force attacks, denial of service attacks (DoS) and the like.
A consistent dripping on WordPress
For years, we at Zone have tried to mitigate such hazards for our customers by imposing frequency limits on requests to XML-RPC files that are distributed through our firewall and by implementing other risk mitigation measures.
Nevertheless, our own analysts, as well as external actors, such as various CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team) teams, had reported to us constantly about successful attacks against our customers’ WordPress-based websites.
Upon further investigation, our specialists discovered a methodological activity that is similar in nature to the aforementioned “Chinese Water Torture“.
Notably, when analysing the logs of the web servers, they noticed that attackers have started “dripping” requests at the WordPress XML-RPC endpoint. This means that requests are made extremely consistently, but with a very long time lag between them, ranging from half an hour to several hours.
In total, the number of requests “dripped” in this way on Zone customers alone can exceed a massive 5 million per day, from over 50,000 unique IP addresses. More than half of these requests were from China just a short while ago.
Attackers’ methodology
Where the criminals actually are located, no one knows without a more thorough investigation.
The attack takes place in several stages.
In the first stage, a list of users in WordPress is retrieved via the XML-RPC endpoint, since this list is mostly public there.
The second stage involves guessing the passwords of the users on the list, using the old familiar methods:
- lists of popular passwords
- passwords already leaked from elsewhere
- password derivation algorithms from the username (if the username is ‘jack’, then versions ‘jack123’, ‘jack666’, ‘jackman’, etc. are tried)
- more recently, “artificial intelligence” has been implemented, which includes domain name and similar information in possible password versions.
In the third stage, once the password has been identified, the WordPress site is taken over and put to work for the attacker.
Some of the hijacked WordPress sites are used by the attackers to expand their network of hijacked WordPress sites, i.e. they start looking for the next victims and in turn “drip” malicious requests in their direction. However, most of them will be involved in promoting online casinos and potency pills.
Such slow, but methodical, work results in an exponentially growing network of compromised WordPress sites for criminals.
Unfortunately, the root cause that enables such attacks continues to be the low quality of passwords used by Internet users to authenticate themselves.
The WordPress ecosystem responds to such problems mainly by plugins, this is also the case in this instance, with a selection of options that perform specific tasks:
as well as a wider range of tools such as
- Wordfence Security – Firewall, Malware Scan, and Login Security
- Patchstack – WordPress & Plugins Security.
The problem here is that WordPress administrators who do not set secure passwords for themselves and their users do not install the following security plugins either.
Restrictions on some requests
The scale of the attacks means that, in this case, by wanting to help users and the ecosystem we have created we cannot remain on the sidelines.
Having considered the risks on WordPress and XML-RPC, we have decided to start blocking WordPress xmlrpc.php requests by default at the Web Application Firewall (WAF) level on our servers.
This doesn’t mean that the XML-RPC functionality of WordPress can no longer be used at all. If for some reason this is necessary, one additional step needs to be taken – turn off the firewall rule that denies these requests.
You can turn off the firewall rule using the My Zone administrative interface – instructions are available at: https://help.zone.eu/kb/xmlrpcphp-post-paringud-wordpressi-meetoditele/
The blocking results are shown in the following chart, which shows the requests blocked in the last 24 hours.
Popular posts
Why choose a .EU domain today?
Ecommerce SEO essentials: How to boost search visibility and drive sales
New at Zone: Varist – even stronger malware protection
