Threat Intelligence Brief – December 2016


WordPress Exploits

We’re constantly monitoring security threat trends as well as attacks against our customers, and every month attackers continue to actively pursue exploitation of content management systems (CMS), especially WordPress.

As the most popular CMS, it’s no surprise that WordPress is a perpetual target for threat actors. As a result, there are a plethora of known exploits with new ones constantly being developed. Add this to the potential for users to misunderstand, or completely ignore, security best practices (reusing passwords, not installing updates, etc.) and you have a platform ripe for exploitation. This makes the understanding and minimization of these risks a major priority for any individual or organization leveraging WordPress.

Common WordPress Exploits
The most common attack method we’ve seen is a brute force against the administrator portal, commonly known as an Admin Portal Brute Force attack. This tactic is often followed by an XML-RPC attack, which can also be attempted separately.

Both methods allow attackers to easily bypass the security controls you have put in place. Once the attacker gains access, they’re free to do as they please on the compromised system, siphoning off sensitive billing information, hosting malicious files, leveraging resources to attack customers or other entities.

Before attempting more complicated attack methods, threat actors will try to take advantage of the well-documented lack of proper password management of WordPress admin portals. Weak passwords and poor password management are low-hanging fruit for threat actors.

XML-RPC is a feature of WordPress that’s relied upon by several plugins allowing for procedure calls over HTTP. It attacks the target’s xmlrpc.php and has the ability to execute multiple commands within a single HTTP request.

WordPress Brute Force IPs
These IPs account for more than 35% of the WordPress brute force attacks we’ve seen in recent weeks against our customers. We strongly suggest that you take the necessary precautions to ensure these IPs are blocked and are unable to exploit your environment.

WordPress IP list

Defending Against WordPress Attacks

There are several steps to minimize the likelihood of your WordPress being successfully exploited. These recommendations echo common threat mitigation strategies and should be best practices for any security program. Following these steps will ensure your environment is better situated to withstand the common attack vectors we have witnessed and responded to.

  • Update WordPress, plugins & themes: Developers are continually pushing out updates to address software issues and vulnerabilities. By updating frequently, you reduce the likelihood of an old vulnerability being exploited. We also recommend turning on the auto-update feature in WordPress.
  • Use strong passwords for the admin portal: We can’t say this enough: password management is essential in preventing authentication brute force attacks, with special attention to the strength of the password. Password management isn’t optional in our modern IT setting. You can ease the burden of using very strong passwords and passphrases by using commercially available password managers. There is no reason to utilize weak passwords that can result in compromised accounts.
  • Prevent password reuse/recycling: Reusing passwords between multiple sites, blogs or WordPress instances places them at risk should one be compromised. Password reuse attacks are extremely common. Millions were affected by this as a result of the LinkedIn breach.
  • Disable XML-RPC (if unused): As with hardening an operating system, you should remove or disable any unneeded services. This will reduce the number of potential attack vectors. XML-RPC is a prime example. However, if you do need the functionality of XML-RPC and would like to prevent XML-RPC brute force attacks, we advise you utilize the Wordfence plugin. It does an excellent job in preventing and alerting you to brute force attacks.
  • Only install required extensions: Stick to the bare minimum of what you need, installing unnecessary extensions only increases the attack surface of your environment.
  • Don’t host WordPress on the same instance as your storefront: Always maintain WordPress on a separate instance than your storefront, doing this once again reduces the attack surface and the ease at which an attacker can laterally move within an exploited environment.



IoT devices have dominated the recent news cycle for their part in the record-breaking DDoS attacks against Krebs on Security and Dyn. When researching the latest malware behind these IoT botnets, the question was posed how quickly would an IoT device be exploited when placed on the net. Well, it turns out that your average IoT device will be exploited within 10 minutes of connecting to the internet. This article stresses the importance of understanding security measures in place on the devices as well as tips on how to keep them out of the next record-breaking botnet.
Read More


The malware we all love to hate is now being distributed through popular social media messenger services such as Facebook Messenger and LinkedIn. Researchers have uncovered a campaign that’s sending malicious JPG image files through affected social media messaging services to install the notorious ransomware, Locky, when clicked. The vulnerability was first reported to Facebook and LinkedIn in September but remains unpatched. Threat actors are looking taking advantage of the situation while these companies remain apathetic.
Get the Full Story


What started off as a homegrown device killer has now gone commercial. For only $50 dollars anyone can buy a small USB device capable of drawing power into its capacitors and then discharging it back into the affected USB port frying the device in the process. The company claims that more than 95% of devices with USB ports are vulnerable to this lethal device. The only real protection would be physically capping your USB ports.
Learn More