In recent weeks, the occurrence of brute force login attempts targeting WordPress and Joomla installations have significantly increased in volume, with some entities reporting triple the attempts seen in the past. The attack volume has been so severe that it has led some hosting providers to block all attempts to access wp-login.php, even for site owners or administrators. While blocking all access outright might seem a bit draconian, about 25% of websites globally include WordPress installations – a tremendous attack surface if left undefended.
During the course of its investigation, Cisco TRAC discovered a repository of data believed to potentially be feeding the brute force login attempts. The trove included user lists, site lists, and password lists. Additionally, there is a list that appears to be a compilation of usernames and passwords used in previous brute force login attempts, scrapings from phishing and cracking forums, as well as the Nmap password list of common passwords. The compiled list has over 25,000 entries, half of which were duplicates. After cleaning up the duplicates, we were left with 783 unique usernames and 11,001 unique passwords – resulting in over 8.6 million possible combinations. However, it doesn’t appear the attackers are going to that extent; the total list of username/password pairs (with dupes removed) contained just over 13,000 combinations.
Examples of some of the more complex passwords discovered include:
The Common Vulnerability Reporting Framework (CVRF) is a security automation standard intended to make your life easier by offering a common language to exchange traditional security and vulnerability bulletins, reports, and advisories. You can read more about it on the official ICASI CVRF 1.1 page, in my CVRF 1.1 Missing Manual blog series, or in the cvrfparse instructional blog. CVRF 1.1 has been available to the public for almost a year and we would like to know how its helped and how we can improve it. Please take a moment to take the poll and please feel free to share it with any interested parties. Comments are encouraged and welcomed. The more feedback we get, the more we can improve CVRF.
Many network security administrators are struggling to keep their network “up-to-date” with the constant release of new vulnerabilities and software fixes. At the same time, they’re under pressure to provide near 100% availability of key business services and systems. Every time a vendor discloses a security vulnerability, network security administrators must identify affected devices and (in numerous cases) upgrade such devices. These activities can take hours, days, or even weeks depending on the size of the organization. For instance large enterprises and organizations may have thousands of routers and switches that need to be assessed for the impact of any given vulnerability. Cisco is helping customers by adopting cutting-edge security automation standards such as the Open Vulnerability and Assessment Language (OVAL) and the Common Vulnerability Reporting Framework (CVRF).
In the following blog posts, I’ve provided details about how security automation is helping customers:
Webcast took place on Tuesday, April 23rd at 10:00 a.m. EST (14:00 GMT). Over 150 customers from 29 countries learned about security automation; Cisco’s machine readable content strategy; and vulnerability assessment using OVAL. We discussed how customers can use OVAL to quickly assess the effects of security vulnerabilities in Cisco IOS Software devices. The recording is now available:
At 10:30 UTC one of the botnet spam campaigns we discussed yesterday took a shift to focus on the recent explosion in Texas. The miscreants responded to the tragic events in Texas almost immediately. The volume of the attack is similar to what we witnessed yesterday with the maximum volume peaking above 50% of all spam sent. We’ve seen 23 unique sites hosting the malware. This is an attempt to grow the botnet.
The concept of crowd sourcing cyber intelligence may sound like an unstructured process, but there’s more to it than that. First, you need to remember that all crowds consist of collections of individuals contributing to the community knowledge base. Second, someone has to take responsibility for gathering data from the crowd, analyzing it, and refining it into actionable information that crowd members can apply to their unique situations.
One of the main reasons I’m excited about my job is that I work for an organization with unique qualifications to lead the movement to collective, crowd-sourced cyber security. Cisco has customers all over the globe that have agreed to share threat intelligence data with us for analysis and redistribution back to the community. This process evolved as a byproduct of our main line network products, solutions, and services business. It also hasn’t escaped our notice that these efforts not only deliver huge benefits to our current customers, but also carry with them a truly compelling business value proposition. I really shouldn’t say more, but do it any way in a video blog post you can access here.