Large-Scale Distributed Brute-Force Attacks Targeting WordPress Website Administrator Accounts

The NJCCIC has been alerted to a new profit-motivated brute-force attack currently targeting WordPress-powered websites. This attack attempts to compromise administrator login credentials to gain access to vulnerable websites and embed malware designed to mine the cryptocurrency Monero and generate profit for the attacker(s).

Threat 
Beginning December 18, at approximately 10pm EST, WordPress security plugin developer, Wordfence, detected the start of a large distributed brute-force attack targeting WordPress-powered websites and attempting to gain access to administrator accounts using weak, default, or compromised credentials. This attack originates from a large number of IP addresses, suggesting that a botnet is being used in this campaign. Each IP address was also observed generating a large number of attacks on each target, peaking at approximately 14.1 million attacks per hour against nearly 190,000 WordPress sites. Analysis conducted by Wordfence on one victim’s server revealed an excessive consumption of CPU resources resulting from “long-running Apache processes” and thousands of outgoing connections from the impacted server to port 80 on other servers. Additionally, the botnet appears to be controlled via an IRC server operating over ports 8080 and 9090. The malware used in this sophisticated campaign runs as a regular user account and deletes itself from the infected system’s hard disk, maintaining persistence by installing itself as a cron job, and is scheduled to run every second. Some malware samples contained XMRig, software developed to mine the cryptocurrency Monero by utilizing a system’s CPU. With the price of cryptocurrency rising, profit-motivated hackers have recently been conducting campaigns designed to steal system and network resources of unsuspecting victims for financial gain. Monero, in particular, has gained popularity among cyber criminals due to its privacy features, which significantly reduce law enforcement’s ability to trace transactions to a particular source or destination.

This activity has not yet been attributed to any particular threat actor or Advanced Persistent Threat (APT) group.

For more information on this threat, including Indicators of Compromise (IoCs), please review the following open-source Wordfence reports:

Reporting
The NJCCIC has not received any reports of this attack being conducted against websites operated by New Jersey organizations; however, all administrators of WordPress-powered websites are encouraged to review the Wordfence reports listed above as soon as possible and take appropriate steps to mitigate this threat. If your organization experiences or suspects attacks associated with this threat, please report the incident to the NJCCIC via the Cyber Incident Report form on our website.

Recommendations

  • Change WordPress administrator account login credentials immediately and ensure all login credentials are unique and complex.
  • Use multi-factor authentication on all active accounts and delete unused accounts to reduce your attack surface.
  • Implement server-level controls and a reputable firewall to block brute-force attacks while also proactively blacklisting known malicious IP addresses.
  • Implement audit logging for privileged accounts and configure alerts to notify you of successful and unsuccessful login attempts.
  • Monitor server resources to verify that CPU usage remains within normal levels.

If compromised, act quickly to contain and eradicate the threat to prevent damage to your site, server, and the reputation of your brand and IP address.

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.

AlertNJCCICWordPress