Brute force and ignorance, the approach to problem solving that uses overwhelming mass to solve a problem but ignores any requirement to consider how best to apply the mass of resources available or alternatives to its mass use.
18.104.22.168/24 22.214.171.124/24 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
It’s been another long week. In the last 7 days we’ve had SigRED, the F5 BIG-IP and Palo Alto CVE’s to respond to. We’ve also had APT35 indicators, as the ‘Charming Kitten’ is looking to cause mischief and mayhem. As I type this, EmoTet campaigns are lighting up our mail filters left, right and centre.
All big meaty stuff. But that is not all. Like an annoying mosquito buzzing around our heads at a BBQ, there’s been a constant stream of alerts from this website.
Above is a list of IP address and ranges. Each of the six above are trying once every hour to log into this website. They’ve been trying for days. They all appear in abuse reports across the internet and are within our own Threat Intelligence too. They just wont stop trying.
This reeks of one script somewhere using a distributed set of compromised hosts to act as a proxy for a single actor. The IP addresses themselves have a good reputation, so it’s really strange to see what must be a recent compromise being burnt for something as blunt as a ‘WordPress Brute Force’ attempt.
We can see from our own firewalls that our own infrastructure isn’t seeing connection attempts from these ranges. Obviously we’ve set alarms to fire if we do see an attempt but for now, it’s for our Managed Service Provider to resolve.
Brute force and ignorance
Now I’ve also got to be honest here, this was originally titled ‘Brute force over ignorance’. This appears to a Yorkshire-ism, commonly used around these parts. I always thought that was the more apt term, as it applies that a calculation has taken place. The outcome being that the perpetrator has determined that strength is the correct path, being favoured over intelligence.
Brute force and ignorance is more favouring the total lack of thought over which should be applied. That clearly matches our current flood of authentication attempts and now I’ve learnt something new.