A sports-related website has recently been under attack from what appears to be an automated system that attempts to login to the website with guessed credentials. Use of this strategy, known as a brute force attack, against WordPress websites are once again on the rise. Additionally, the vast array of plug-ins for WordPress provides ample opportunity for hacks if the site administrator is not up-to-date with patching.
The resurgence in attacks against WordPress may hail a new era in malware delivery. In the past, compromised websites have been used to redirect users to exploits kits spread various forms of malware. For example, the TeslaCrypt ransomware was spread primarily through hijacked WordPress and Joomla sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer. TeslaCrypt is one of several ransomware families that encrypts the user’s files and demands payment in return for the decryption key.
Ransomware has grown in popularity and has been known to affect a variety of targets, including hospitals and even the San Francisco Municipal Transportation System. The San Francisco Muni did not pay the ransom; however, riders did enjoy one day with no fares.
The attack against the sports-related site may have been an attempt to gain privileged access in order to spread the Osiris variant of Locky ransomware, also an encryption-for-ransom scheme for Windows computers. Locky/Osiris is typically distributed via a social engineering campaign that tricks users into opening an email attachment that appears to be an Excel invoice. It is interesting to note that the infected file is a Russian-localized version of Excel. The macros in the Excel file download the malware’s payload of renamed DLL files to the computer. These files install Locky/Osiris, which then encrypts the user’s files.
In this case, however, no social engineering was employed. Multiple attempts at password-cracking by what appears to have been a bot was the approach used against the subject site. Because the attempt to hack the sports-related site was unsuccessful, analysts are unable to determine if the target of the Locky/Osiris ransomware was the website itself, or whether the system was simply a stepping stone for a much larger campaign.
Sharing the information about this attack with the local ISAO community has enabled the team to learn more about the methods and risks surrounding these attempts to access our system. Working together and sharing information is the path to building the strongest defense against these cyber villains.
Abrams, L. (2016 December 5) Locky Ransomware switches to Egyptian Mythology with the Osiris Extension. Bleeping Computer. Retrieved from https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/
Barry, C. (2016 March 27). The evolution of Ransomware. Barracuda. Retrieved from https://blog.barracuda.com/2016/03/27/the-evolution-of-ransomware/
Fox-Brewster, T. (2016 November 28). Retrieved from Ransomware Crooks Demand $70,000 After Hacking San Francisco Transport System. Forbes. Retrieved from http://www.forbes.com/sites/thomasbrewster/2016/11/28/san-francisco-muni-hacked-ransomware/
Goodin, D. (2016 February 4). Mysterious spike in WordPress hacks silently delivers ransomware to visitors. ARS Technica. Retrieved from http://arstechnica.com/security/2016/02/mysterious-spike-in-wordpress-hacks-silently-delivers-ransomware-to-visitors/
Paganini, P. (2016 December 20). Wordfence warns of a huge increase in brute force attacks on WordPress. Security Affairs. Retrieved from http://securityaffairs.co/wordpress/54556/hacking/brute-force-attacks-wordpress.html