The Case Of A Flash Redirector From A Brute Force Password Attack

We noticed an unusual spike in “Flash redirector” detection hits during October. The source was compromised websites.

RedirectorHits

Figure 1. Flash Redirector Detection Hits

The compromised websites had an injected code which loaded a malicious flash object that attempted to redirect users to the Angler exploit kit.

InjectedCode

Figure 2. Injected Code

This flash redirector is not a new thing. It was written about by MalwareBytes a year ago. However, the sudden spike we observed during October got our attention and prompted us to look at it a bit closer.

It was interesting to see that the URL pattern didn’t change much from what MalwareBytes saw, except that we didn’t see the use of the URL shortener us.to. The actors behind the attacks take advantage of free domains and unusual Top Level Domains.

RedirectorURLs2014

Figure 3. Flash Redirector URLs from 2014

RedirectorURLs2015

Figure 4. Flash Redirector URLs from 2015

While looking into how the websites were compromised, we noticed that all of them were built using WordPress. Our initial thought was that these websites were attacked via a vulnerable plugin.

Further investigation on the compromised servers revealed that one of the attacker’s tactics was a simple brute force password attack. The attacker attempted to enumerate WordPress usernames by accessing URLs such as these.

http://www.samplewebsite.com/?author=1
http://www.samplewebsite.com/?author=2
http://www.samplewebsite.com/?author=3

Below is a snippet of the access log that shows the author scanning.

accesslog1

After obtaining the username, the only thing that the attacker would need to figure out is the password. The tool used by the attacker attempted around 1200 passwords before it was able to successfully login.

accesslog2

After gaining access to an admin account, the attacker proceeded to upload malicious scripts onto the server. Such scripts included a backdoor, and even a spammer component.

accesslog3

The compromising of websites is one of the most effective ways for cybercriminals to deliver malware. Being creatures of habit, users typically visit their favorite websites without any thought that their machines might get infected. And so the owners of these websites have an important role in making this threat less prevalent. One of the things that has always been advised is to make sure that all tools running on your server are up-to-date to lessen the possibility of being attacked via vulnerabilities. However, in the case of this particular attack, we cannot stress enough how important it is to protect your username and the importance of using a strong unique password. Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything. You can also add this code in .htaccess to block author enumeration attempts.

# Stop wordpress username enumeration vulnerability
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://yoursite.com/somepage/? [L,R=301]

You can find more information here: Block WordPress User Enumeration, Secure WordPress Against Hacking



Articles with similar Tags