0
0
Attackers Exploit Hacked WordPress Sites for Massive Password-Cracking Campaign
Reports have surfaced detailing a concerning cyber attack, wherein hackers have weaponized hundreds of breached websites powered by WordPress to serve as command-and-control servers responsible for coercing visitor browsers into performing password-cracking activities.
A deep dive into the matter revealed that a single search using a JavaScript snippet involved in the attack displayed its presence on a staggering 708 sites. This marked a significant increase from 500 occurrences merely two days prior. Denis Sinegubko, the researcher who first identified this malicious scheme, shared that thousands of visitor machines had involuntarily executed the script, which prompted them to interact with numerous domains in an effort to uncover login credentials for various accounts.
Notably, the compromised websites housing the malevolent JavaScript exclusively targeted domains utilizing the popular WordPress content management system. The JavaScript itself was relatively small in size at only 3 kilobits. This script primarily communicates with a getTaskURL under the control of the attacker. Subsequently, it retrieves specific user details paired with a set of common passwords. The browser then uses this data to undertake login attempts on behalf of the visitor, looping through these actions continuously.
The Anatomy of the Attack
With a comprehensive analysis, Sinegubko detailed the quintessential stages of the assault, demonstrating how threat actors leverage previously breached websites to orchestrate distributed brute force attacks against a multitude of unsuspecting victims:
Stage 1: Obtain URLs of WordPress sites. Attackers hunt for target WordPress sites, compiling a watchlist through web crawls or database essentials.
Stage 2: Extract author usernames. Bad actors extract genuine author usernames from the identified websites.
Stage 3: Inject malicious scripts. The malicious dynamic-linx[.]com/chx.js script gets embedded into already compromised websites.
Stage 4: Brute force credentials. Visitors opening infected pages trigger the script, initiating a distributed brute force attack behind the scenes.
Stage 5: Verify compromised credentials. Successfully breached credentials furnish unauthorized access to the targeted sites identified in stage 1.
Unveiling the Brute Force Mechanism
The operation of the distributed brute force attack through innocent visitor browsers unfolds as follows:
- Upon visiting a compromised webpage, the browser fetches a task from hxxps://dynamic-linx[.]com/getTask.php.
- If the task is valid, the browser processes the data, acquiring the user credentials and passwords for a targeted site.
- Each password attempt triggers an wp.uploadFile XML-RPC API request, testing encrypted credentials. Subsequently, the browser generates a text file with the verified credentials in the WordPress directory.
- Upon completion of each password batch, the script notifies hxxps://dynamic-linx[.]com/completeTask.php of the task status. The cycle persists as long as the compromised page remains open.
As detected by Sinegubko, numerous browser requests generated thousands of unique domains, auditing the uploaded files. The outcome predominantly involved 404 errors, indicative of failed login attempts. Approximately 0.5 percent of queries returned successfully, suggesting potential password compromises. Nevertheless, upon meticulous inspection, only one site fell victim, while the rest exhibited unusual configurations prompting the 200 response code erroneously.
Over a span of four days, Sinegubko documented over 1,200 unique IP addresses initiating multiple requests, with five sources accounting for the majority of these interactions.
- 146.70.199.169 – 34.37% – M247, RO
- 138.199.60.23 – 28.13% – CDNEXT, GB
- 138.199.60.32 – 10.96% – CDNEXT, GB
- 138.199.60.19 – 6.54% – CDNEXT, GB
- 87.121.87.178 – 5.94% – SOUZA-AS, BR
The campaign marred by these IP addresses boasted an alarming implication, especially considering the benign nature of the exploited visitors. Sinegubko highlighted the significance of initiatives like using NoScript or similar blockers to stymie such attacks. However, these solutions might not cater to users seeking seamless browsing experiences.
Ultimately, the recent onslaught emphasizes a concerning theme in the cybersecurity realm, illustrating the strategic exploitation of innocent systems to fuel a cybercrime wave.
Image/Photo credit: source url
