Over the course of the current week, WordPress sites around the globe have been the targets of a massive brute-force campaign during which hackers attempted to guess admin account logins in order to install a Monero miner on compromised sites.
The brute-force attack started on Monday morning, 03:00 AM UTC and is still going strong at the time of writing.
Brute-force attack targets over 190,000 WordPress sites/hour
To get an idea of the size of the campaign, WordPress security firm Wordfence says this was the biggest brute-force attack the company was forced to mitigate since its birth in 2012.
“This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour,” said Wordfence CEO and founder Mark Maunder on Monday. “The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off.”
Wordfence says the brute-force attacks peaked at 14.1 million requests per hour. Brute-force requests originated from over 10,000 unique IP addresses and targeted around 190,000 WordPress sites per hour.
Initially, the Wordfence team believed that a recent leak which involved a torrent file shared on Reddit and GitHub and containing over 1.4 billion cleartext username and password combinations, might have triggered the attacks by providing attackers with new credentials they could test.
After further analysis, Wordfence now says attackers use “a combination of common password lists and heuristics based on the domain name and contents of the site that it attacks.”
Attackers hack into sites to install Monero miner
Once attackers get in, they install a Monero miner, and they also use the infected site to carry out further brute-force attacks. These two operations don’t happen at the same time, and each site is either brute-forcing other WordPress sites or mining Monero.
This means the actual number of compromised sites is much larger than the number of IPs participating in the brute-force campaign.
According to Wordefence engineer Brad Haas, the company discovered all these details after one of their customers’ servers was compromised and they were able to take a peek inside the campaign’s operation.
Hackers made at least $100,000
Based on the two Monero wallet addresses connected to this illegal mining operation, Wordfence says attackers made over $100,000 worth of Monero, but the sum could be even higher.
The focus on mining Monero is no surprise since Monero’s exchange rate almost doubled this month, drawing even more crooks to the fold.
Just this month, security firms reported on three malware campaigns that focused on installing Monero miners on compromised servers, PCs, and mobiles— Zealot, Hexmen, and Loapi.