A coordinated wave of security breaches and brute-force attacks against a variety of WordPress websites has been reported by the security firm, Wordfence. At this time, the attackers appear to be installing Monero miners on the compromised sites. According to the first blog post released by Wordfence, the attacks began on December 18, 2017, at 3 AM UTC and ramped up significantly in the hours that followed.
The hacking operation was discovered during a Wordfence security audit after one of their customers’ servers was found to be breached. Since then, the company has determined that the hacking operation is carried out as a two-step process. Once a server is compromised, it is either used to brute-force other similar WordPress websites or to distribute a Monero miner through the website hosted on it.
Wordfence believes that the brute-force attempts peaked at over 14 million attacks per hour, with an estimated 10,000 unique IP addresses working in tandem to achieve this rate. Furthermore, over 190,000 WordPress websites are being targeted per hour, resulting in an unprecedented hourly attack volume for the security company.
After investigating patterns employed by the hackers and logs from compromised servers, the security term concluded that the attackers are using “a combination of common password lists and heuristics based on the domain name and contents of the site that it attacks.” Initially, however, a data leak from December 5, 2017, was suspected to be the source of server credentials. Given that 1.4 billion passwords were exposed during the leak, Wordfence assumed that the attackers used this data as the entry vector.
According to the most recent statistics available at the time of writing this article, WordPress powers close to 30 percent of all websites in existence. As a result of this ubiquity, the framework, built on top of the PHP programming language, has been targeted by malicious actors several times in the past already. The recent attacks, however, are a clear attempt to benefit and profit from the ignorance of a common person browsing the internet.
Wordfence, going by the two Monero addresses that the mining operation is attached to, estimates that the attackers made off with $100,000 worth of digital currency, if not more. In the past few months, several breaches outside of the WordPress ecosystem have also been discovered and linked to Monero miners, including high-profile websites. The relative ease of Monero mining and rising valuation has made the cryptocurrency a natural choice for hackers to use.
There is, however, another predominant belief as to why the hackers have been turning to Monero. While bitcoin and ether follow the principles of decentralization and anonymity already, Monero takes privacy a step further by continually changing the sending and receiving address belonging to a particular wallet as well as enforcing confidential transactions. What this means is that, in the future, it may be complicated to trace funds belonging to the hackers and pursuing legal action against them may be near impossible.