Hacked WordPress sites abuse visitors' browsers for distributed brute force attacks

Hacked WordPress sites abuse visitors39 browsers for distributed brute force

March 07, 2024Newsroom:Vulnerability / Web Security

Brute-Force Attacks:

Threat actors are launching brute force attacks against WordPress sites using malicious JavaScript injections, new Sucuri findings show.

The attacks, which take the form of distributed brute force attacks, “target WordPress sites from the browsers of completely innocent and unsuspecting site visitors,” said security researcher Dennis Sinegubko.

The operation is part of a previously documented attack wave in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware.

The latest iteration is notable in that the injections found in more than 700 sites to date do not load the drainer, but rather use a list of common and leaked passwords to brute force other WordPress sites.

Cyber ​​security

The attack unfolds in five stages, enabling a threat actor to leverage already compromised websites to launch distributed brute force attacks against other potential victim websites;

  • Getting a list of WordPress target sites
  • Extracting the real usernames of authors who publish on those domains
  • Inject malicious JavaScript code into already infected WordPress sites
  • Launching a distributed brute-force attack on target websites via the browser when visitors land on compromised websites
  • Gaining unauthorized access to target websites

“For each password in the list, the visitor's browser sends a request to the wp.uploadFile XML-RPC API to upload a file with the encrypted credentials that were used to authenticate this particular request,” Sinegubko explained. “If authentication succeeds, a small text file with valid credentials is created in the WordPress uploads directory.”

READ  WordPress Plugin Flaw Allows Attackers To Hijack 1M Websites

It is currently unknown what motivated threat actors to switch from crypto-scatters to a distributed brute force attack, although it is believed that the change may be driven by profit motives, as compromised WordPress sites can be monetized in various ways.

According to Scam Sniffer, crypto wallets have led to hundreds of millions of digital asset losses in 2023. Anti-fraud solutions provider Web3 has since revealed that the drainers use the normalization process of the wallet's EIP-712 encryption procedure to bypass security alerts.

Cyber ​​security

The development comes as a DFIR report found that threat actors are exploiting a critical flaw in the WordPress plugin 3DPrint Lite (CVE-2021-4436, CVSS Score: 9.8) to deploy the Godzilla web shell for persistent remote access.

It also follows a new SocGholish (aka FakeUpdates) campaign targeting WordPress sites, where JavaScript malware is distributed via modified versions of legitimate plugins that are installed using compromised administrator credentials.

“While there have been a number of maliciously modified plugins and several different fake browser update campaigns, the goal is of course always the same. for a ransomware attack,” said security researcher Ben Martin.

Is this article interesting? Follow us Twitter: and LinkedIn to read more exclusive content we publish.


Leave a Reply

Your email address will not be published. Required fields are marked *