This December, we wrote about:
that lead to this:
NOW its time to find out what was the purpose of this massive spike in brute force attacks on WordPress sites!
Attack Campaign Strategy:
- Gain access: via brute force, testing the credential pairs (latest and historical list).
- Infect host account: based on the traffic and analysis, malware appears to be a variant of “Tsunami” or “Kaiten”.
- Create foothold: compromised accounts connected to 8 remote Command & Control Servers, used to receive further “orders”.
- 126.96.36.199:9090 muhstik.ovh1
- 188.8.131.52:9090 muhstik.ovh2
- 184.108.40.206:9090 muhstik.ovh3
- 220.127.116.11:9090 muhstik.ovh4
- 18.104.22.168:8080 x.1
- 22.214.171.124:8080 x.2
- 126.96.36.199:8080 x.4
- 188.8.131.52:9090 muhstik.ras1
- Mining Proxy: 184.108.40.206 on port 8080.
- Malware on compromised servers installed XMRig, a Monero Cryptocurrency mining software.
- The attacker configured it to run through several proxies to hide the wallet address associated with the miners.
- At the beginning of December, the price of Monero Cryptocurrency was around $200.
- This value skyrocketed, reaching $378 after the attacks.
What is Cryptocurrency?
Cryptocurrency is a digital asset designed to work as a medium of exchange that uses cryptography to secure its transactions, to control the creation of additional units, and to verify the transfer of assets.
What is Cryptocurrency Mining?
People are sending Cryptocurrency to each other over the Cryptocurrency network all the time, but unless someone keeps a record of all these transactions, no-one would be able to keep track of who had paid what. The Cryptocurrency network deals with this by collecting all of the transactions made during a set period into a list, called a block. It’s the miners’ job to confirm those transactions and write them into a general ledger. This general ledger is a long list of blocks, known as the ‘blockchain’. A constantly updated copy of the block is given to everyone who participates so that they know what is going on.