WordPress

Over the course of the current week, WordPress sites around the globe have been the targets of a massive brute-force campaign during which hackers attempted to guess admin account logins in order to install a Monero miner on compromised sites.

The brute-force attack started on Monday morning, 03:00 AM UTC and is still going strong at the time of writing.

Brute-force attack targets over 190,000 WordPress sites/hour

To get an idea of the size of the campaign, WordPress security firm Wordfence says this was the biggest brute-force attack the company was forced to mitigate since its birth in 2012.

"This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour," said Wordfence CEO and founder Mark Maunder on Monday. "The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off."

Brute-force attack scale

Wordfence says the brute-force attacks peaked at 14.1 million requests per hour. Brute-force requests originated from over 10,000 unique IP addresses and targeted around 190,000 WordPress sites per hour.

Initially, the Wordfence team believed that a recent leak which involved a torrent file shared on Reddit and GitHub, and containing over 1.4 billion cleartext username and password combinations, might have triggered the attacks by providing attackers with new credentials they could test.

After further analysis, Wordfence now says attackers use "a combination of common password lists and heuristics based on the domain name and contents of the site that it attacks."

Attackers hack into sites to install Monero miner

Once attackers get in, they install a Monero miner, and they also use the infected site to carry out further brute-force attacks. These two operations don't happen at the same time, and each site is either brute-forcing other WordPress sites or mining Monero.

This means the actual number of compromised sites is much larger than the number of IPs participating in the brute-force campaign.

According to Wordefence engineer Brad Haas, the company discovered all these details after one of their customers' servers was compromised and they were able to take a peek inside the campaign's operation.

Hackers made at least $100,000

Based on the two Monero wallet addresses connected to this illegal mining operation, Wordfence says attackers made over $100,000 worth of Monero, but the sum could be even higher.

The focus on mining Monero is no surprise since Monero's exchange rate almost doubled this month, drawing even more crooks to the fold.

Just this month, security firms reported on three malware campaigns that focused on installing Monero miners on compromised servers, PCs, and mobiles— Zealot, Hexmen, and Loapi.

Similarly, Monero's rising price is also what's driving more miscreants to the recent cryptojacking craze.

Related Articles:

CoinMiner Campaigns Move to the Cloud via Docker, Kubernetes

LOL: BabaYaga WordPress Malware Updates Your Site

Hackers Find New Method of Installing Backdoored Plugins on WordPress Sites

New MassMiner Malware Targets Web Servers With an Assortment of Exploits

Andy OS Android Emulator Reportedly Installing a GPU Miner