New findings from Sucuri shows that threat actors are using malicious JavaScript injections to launch brute-force attacks against WordPress sites.
According to Denis Sinegubko, a security researcher, the attacks are distributed brute-force attacks that “target WordPress websites from the browsers of completely innocent and unsuspecting site visitors.”
This incident is part of a known attack wave. Previously, compromised WordPress sites were employed to either inject crypto drainers like Angel Drainer directly or redirect users to Web3 phishing sites housing drainer malware.
What sets this latest version apart is its approach. Discovered on over 700 sites, the injections, in this case, don’t initiate a drainer. Instead, they utilize a list of commonly leaked passwords, attempting various combinations to breach other WordPress sites.
The attack comprises five steps, allowing perpetrators to exploit previously compromised websites to initiate brute-force attacks on potential targets:
- Compiling a list of targeted WordPress sites.
- Extracting authentic usernames of authors posting on these identified sites.
- Implementing harmful JavaScript code into already compromised WordPress sites.
- Utilizing visitors’ browsers to initiate a distributed brute-force attack on the targeted sites when individuals access the compromised sites.
- Unauthorized access to the target locations.
Denis Sinegubko explains that “For every password in the list, the visitor’s browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted credentials that were used to authenticate this specific request.” “If authentication succeeds, a small text file with valid credentials is created in the WordPress uploads directory.”
The motive behind the threat actors’ shift from crypto drainers to distributed brute-force attacks remains unclear. However, speculation suggests that the change might be driven by financial incentives, as hackers exploiting WordPress sites have various avenues to generate income.
According to Scam Sniffer data, crypto wallet drainers led to the loss of hundreds of millions of dollars worth of digital assets in 2023. Subsequently, the company responsible for developing Web3 anti-scam software noted that drainers exploit the normalization step within the wallet’s EIP-712 encoding process to circumvent security alerts.
This news emerged after the DFIR report highlighted that threat actors are exploiting a critical vulnerability in the 3DPrint Lite WordPress plugin (CVE-2021-4436, CVSS score: 9.8). This exploit allows them to conceal the Godzilla web shell, establishing persistent remote access.
Additionally, a recent SocGholish (also known as FakeUpdates) campaign has emerged, specifically targeting WordPress websites. In this campaign, JavaScript malware is disseminated through altered versions of authentic plugins and loaded using pilfered admin credentials.
“Although there have been a variety of maliciously modified plugins and several different fake-browser update campaigns, the goal of course is always the same: To trick unsuspecting website visitors into downloading remote access trojans that will later be used as the initial point of entry for a ransomware attack,” researcher Ben Martin said.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.