Hackers target WordPress websites with cryptomining campaign

News by Rene Millman

Hackers have deployed brute force attacks on WordPress websites in order to turn them into cryptocurrency miners. Single botnet thought to be behind massive attack that yielded almost £750,000 for criminals.

Hackers have deployed brute force attacks on WordPress websites in order to turn them into cryptocurrency miners.

According to security researchers at Wordfence, criminals have used malware to control compromised WordPress servers remotely. The servers are being used to both attack other WordPress sites and to mine for Monero, a cryptocurrency that can be efficiently mined using web server hardware.

Wordfence engineer Brad Haas said in a blog post that evidence points to the attackers earning almost £75,000 from mining already, and in all likelihood, quite a lot more.

Haas's attention was bought to the issue when one of his company's customer's hosting company received an abuse complaint, including logs of failed WordPress login attempts from the customer's server.

With root access, it was discovered that one process on the website, named “29473” had been using more resources than everything else.

“A process which has consumed enormous amounts of processing power and communicating with a “mining proxy” has to be a cryptocurrency miner, almost certainly for Monero, since it can be mined using regular processors instead of graphics processors,” said Haas. He added that connections to other web servers are likely to be the WordPress brute force attacks that are known to originate from this server.

Haas said that based on the traffic and analysis of some samples recovered, the malware appears to be a variant of “Tsunami” or “Kaiten.” A total of eight command and control servers had also been identified in the mining operation, four of which are hosted at OVH.

The malware, while not a rootkit, still tries to be as stealthy as possible, according to Haas. 

“We found several different variations of the malware. Most of them were designed so that when they're started up, they delete their own file from the disk. That way, antivirus software won't identify them (unless it scans programs in memory as well),” said Haas.

Haas added that the malware is also responsible for the brute force attacks. 

“Based on our observations, it uses a combination of common password lists and heuristics based on the domain name and contents of the site that it attacks – including names, usernames, and words,” he said.

Some malware samples collected contained the Monero mining software XMRig. “In most cases, the attacker configured it to run through one of several proxies, so we don't know the wallet address associated with the miners,” said Haas. But in a few instances, the attacker manually ran mining commands pointed at pool.supportxmr.com, and included the wallet address.”

Haas said that the reason behind brute-force attacks was the price of Monero. “At the beginning of this month, the price of Monero had barely broken $200 (£150). But its value has since skyrocketed, reaching $378 (£282) the day before the attacks started,” he said.

Haas recommended that websites should run a scan for malware and check server resources. They should also harden websites against brute force attacks and monitor blacklists.

Javvad Malik, security advocate at AlienVault, told SC Media UK that cryptomining is becoming big business as value of crypto-currencies continue to stay high. 
“Users should take care around WordPress sites by ensuring they are running the latest version, enable two factor authentication, and only installing trusted plugins,” he said. “Additionally, companies should scan WordPress installs for vulnerabilities, and monitor for unusual activity, such as spikes in CPU usage that can be indicative of compromise.”

Josh Mayfield, director at FireMon, told SC Media UK that the best way to detect if a WordPress site has been compromised is to monitor the system's activity in real-time.  “Then, when certain thresholds are passed, you have a leading indication of compromise.  If your baseline for connection requests is 125,000 in a given day, and that number rises by 25 percent in a single hour this can trigger a flag to say, ‘Look over here, something doesn't seem right',” he said.

“Secondly, it is important to run regular configuration assessments to note what is possible for your WordPress sites.  Are the whitelist protocols the right ones?  Are the ports the matched to appropriate protocols and services?  What are the most common combinations of services, ports, protocols, sources, etc?  Configuration assessments are the best way to get a baseline, assess the risks, and make changes that are in your best interest.”

In a separate development in the cryptocurrency world, three fake Bitcoin wallet apps appeared in The Google Play Store. 

According to a blog post by Lookout, it identified three Android apps disguised as bitcoin wallet apps, previously in the Google Play Store, that trick victims into sending bitcoin payments to attacker-specified bitcoin addresses. Google removed the apps immediately after Lookout notified the company. The apps collectively had up to 20,000 downloads at time of removal.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews