Sunday, May 19, 2024

Hacked WordPress Sites Using Visitors’ Browsers For Distributed Brute Force Attacks

Researchers recently uncovered distributed brute force attacks on target WordPress websites using the browsers of innocent site visitors. 

A recent increase in website hacking that targets Web3 and cryptocurrency assets was noticed two weeks ago.

With the use of cryptocurrency drainers, this malware, which spreads among several campaigns, steals assets from compromised wallets and redistributes them.

According to Sucuri researchers, the most notable variation uses the external cachingjs/turboturbo.js script to inject drainers.

The domain name of the turboturbo.js script was modified on February 20, 2024; it was previously dynamiclinks[.]cfd/cachingjs/turboturbo.js, but it is right now dynamiclink[.]lol/cachingjs/turboturbo.js.

“This new wave started on the very same day the new dynamiclink[.]lol domain was registered and hosted on the server with IP 93.123.39.199”, researchers said.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..


Distributed Brute Force Attacks On WordPress Sites

Attackers created a second dynamic-linx[.]com domain on February 23, 2024 (which is also hosted on 93.123.39.199 and 94.156.8.251).

By February 25th, researchers were able to identify injections using the dynamic-linx[.]com/chx.js script.

But this new script is very different because it doesn’t load a crypto drainer. Researchers say there is no connection between Web3 and cryptocurrencies and the script’s contents.

The five main stages of this recent attack enable a malicious actor to use websites that have already been infiltrated to undertake distributed brute force attacks against thousands of additional sites that could become targets.

  • Obtain URLs of WordPress sites
  • Extract author usernames
  • Inject malicious scripts
  • Brute force credentials
  • Verify compromised credentials

According to the information shared with Cyber Security News, a task is requested by the user’s browser from the hxxps://dynamic-linx[.]com/getTask.php URL whenever they access an infected webpage. 

When a task is found, the data is processed to extract the URL of the target website, an operational username, and a list of 100 passwords to try.

The visitor’s browser submits the wp.uploadFile XML-RPC API calls to upload a file with the encrypted credentials that were used to authenticate this particular request for each password in the list.

Each task entails 100 API requests! A brief text file containing legitimate credentials is created in the WordPress uploads directory if authentication is successful.

The script notifies the job with a specific taskId and checkId has been finished once all of the passwords have been checked.

At last, the script retrieves the next task and handles an additional set of credentials. And so on, as long as the compromised page is open, without end.

Mitigation

“Most likely, they (attackers) realized that at their scale of infection (~1000 compromised sites) the crypto drainers are not very profitable yet.

Moreover, they draw too much attention and their domains get blocked pretty quickly”, researchers said.

We are reminded by this attack of the importance of creating strong passwords.

You may also want to consider limiting access to the xmlrpc.php file and WordPress admin interface to trusted IP addresses only.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make...

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles