Analysts at Wordfence warned about a powerful wave of brute force attacks on sites running WordPress. The campaign started last Monday, December 18, 2017, and is still ongoing. Unknown attackers try to pick up credentials from the site administration accounts, and if the brute force is successful, they infect the resources with the Monero cryptocurrency miner.
Wordfence representatives write that this is the largest and most aggressive wave of attacks that they have seen since the company was founded in 2012. According to the head of the company, Mark Maunder (Mark Maunder), at peak times, up to 14,000,000 requests per hour are recorded. Because of this, Wordfence has already had to urgently expand its logging infrastructure.
The company's initial report states that the wave of attacks is coming from 10,000 IP addresses and may be related to a recent leak to the public domain
a huge credential database of more than 1.4 billion records. But additional research on this issue showed that attackers combine common logins and passwords with heuristics based on the domain name and the content of the attacked site.
If the brute force succeeds, the attackers install to the site of the Monero cryptocurrency miner, or use a compromised resource for further brute force attacks. Moreover, the affected sites do not deal with both tasks at once, different resources are used for mining and attacks.
Analysts were able to locate two crypto-currency wallets owned by attackers and report that illegal mining has already brought over $100,000 to an unknown group.