Using Gravityscan to Prevent Cryptomining Attacks
If you’ve been following the events of the last week on our Wordfence.com blog, you’re likely aware of a massive brute force attack campaign that has been targeting WordPress sites. Our operations team at Defiant learned of the tenfold increase in worldwide attacks early Monday morning. At its height, this attack was peaking at over 14 million attempts per hour.
The Defiant Security Services Team began to receive an influx of site cleaning and site audit requests around the same time. Within some of those site cleaning requests, we found some of the very sites compromised by this aggressive campaign. The brute force attack also infected most of the sites’ PHP files with a single long line of code:
We were able to determine that cryptocurrency mining was the ultimate goal. And it worked: Defiant’s senior security analysts uncovered the Monero wallet into which this attack deposited funds to the tune of US$100,000.
Because Monero is easily mined using CPU processes, bad actors will be increasingly tempted to use hacked web servers to mine the currency and reap profits. With the recent increase in value of the Monero cryptocurrency, the temptation is now even greater.
All CMSes Are at Risk, and This Will Happen Again
We think we will likely see more cryptomining-motivated attacks like this in the future. The costs for hacking into a vulnerable site are low, and the payouts can be quite high. Though most of the hacking we’ve seen in the past has had a spam-related motivation, the increase in value of various cryptocurrencies will make mining more prevalent.
A couple of days after the original attack, we saw this same botnet ramp up attacks again. The number of attacking IP addresses surpassed the previous high, and we believe that this attacker’s botnet has the capacity to increase their capacity even higher than what we’ve seen.
Though this attack appeared to target WordPress sites, it may have also targeted Joomla and Drupal applications. Based on the growing threat of cryptomining attacks, we expect to see attacks on these CMSes increase in frequency as well. Just because WordPress is a larger target, powering nearly 30% of the Internet, that does not make Joomla or Drupal safer. There are vulnerabilities in all older versions of open-source content management systems.
Using Gravityscan to Stay Vigilant
Gravityscan is an important tool to help you remain vigilant for this growing threat in two ways:
Vulnerability detection. Gravityscan looks for over 7,000 distinct vulnerabilities in all of the major content management systems and web server configurations. No other scanning service provides such wide-ranging vulnerability analysis, and we add new vulnerabilities daily. If you’re using Gravityscan regularly as a Pro user, you get alerted before the hackers do, ensuring that you can take action to protect your online assets much faster.
Malware detection. The malware this recent campaign placed on WordPress websites is of a variant detected by Gravityscan. If it affects your site, you’ll receive an alert that Gravityscan has found malicious files. Once Gravityscan finds these files, you can take steps to secure your site and discover how your site may have been compromised so that you can protect yourself in the future.
If you are an existing Gravityscan user, your site is currently being scanned for these vulnerabilities. You can also try out our Pro service with a free 14-day trial. This includes the full vulnerability details for each Pro site that has ownership verified, the ability to speed up your scans and send SMS alerts, and our awesome premium support.
You can read all the technical details about this event over on the Wordfence blog.