SEARCH
TOOLBOX
LANGUAGES
Knock Knock... Who's there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.

Knock Knock... Who's there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.

From BruCON 2017

Revision as of 19:32, 26 June 2017 by Larry (talk | contribs) (Created page with "With more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well known Content Management Systems (CMS)...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

With more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well known Content Management Systems (CMS) have been systematically attacked for the past years by different threat actors looking for disposable infrastructure for their attacks.

Brute-forcing is one of the most common types of attacks against CMS. The main goal of this attack is pretty straightforward: to obtain a valid username and password and get access to the CMS administration panel. Attackers take advantage of the fact that still, in most cases, CMSs chosen passwords are very weak: admin, 123456, qwerty, etc. Successfully brute-forced websites are commonly used for hosting C&Cs, scams, and drive-by attacks to spread malware or even for selling in the black market to interested parties.

The goal of this presentation is threefold: first, to outline different malware and botnets with CMS brute-forcing capabilities; second to provide a comparison of the most prominent brute-forcing botnets with a focus on their technical capabilities; third to present an in-depth analysis of a real life distributed brute-force attack on a popular CMS platform performed by a botnet known as Sathurbot.

While the trojan Sathurbot first appeared in 2013 [3], it is still active and affecting hundreds of users. To this date, the trojan has 4 known modules: backdoor, downloader, web crawler, and brute-forcing. The downloader module allows the trojan to deliver additional malware to the infected machine such as Boaxxe, Kovter, and Fleercivet. The web crawler module allows the trojan to search in different searching engines for websites using WordPress CMS. The brute-forcing module is what the trojan uses to attempt to login to the WordPress admin panels with different credentials. The case of study is focused on the web crawling and brute-forcing modules with specific insights obtained of a real life infection. It will provide insights of the infrastructure, target selection, aggressiveness, and an analysis of it's success from our observation.

As a final contribution, we will present some detection methods that can be used to identify CMS brute-forcing attacks.

[1] Built With. (2017, April). WordPress Usage Statistics. Retrieved from https://trends.builtwith.com/cms/WordPress [2] CVE Details. (2017, April). WordPress Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/ [3] Krebs On Security. (2013, April) Brute Force Attacks Build WordPress Botnet. Retrieved from https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/