WordPress Under Siege by Brute-Force Assaults

wordpress brute force

Sucuri uncover a proactive move against brute-force attacks targeting WordPress websites. Threat actors, utilizing malicious JavaScript injections, have been engaging in distributed brute-force assaults, aiming at WordPress sites with a novel approach.

Unlike previous waves where compromised WordPress sites were utilized for crypto drainers or redirection to phishing sites, the current wave adopts a different strategy. Over 700 sites have been affected so far, with injected scripts executing a systematic brute-force attack, leveraging a list of common and leaked passwords.

The attack unfolds in a series of stages, demonstrating the sophisticated nature of the threat. Initially, threat actors procure a list of target WordPress sites, followed by the extraction of real usernames of authors associated with these domains. Malicious JavaScript code is then injected into already compromised WordPress sites, priming them for the next stage. Upon landing on these infected sites, visitors unknowingly become conduits for launching distributed brute-force attacks on the target sites. The end goal? Unauthorized access to these vulnerable sites.

Denis Sinegubko, the security researcher behind the discovery, sheds light on the intricacies of the attack. Each password in the list prompts the visitor’s browser to send an wp.uploadFile XML-RPC API request, attempting to upload a file with encrypted credentials. Successful authentication results in the creation of a text file containing valid credentials within the WordPress uploads directory.

The motive behind this shift from crypto drainers to brute-force attacks remains speculative, though profit incentives are plausible. Compromised WordPress sites offer various monetization avenues, potentially driving threat actors to explore new tactics.

Notably, the prevalence of crypto wallet drainers has resulted in substantial losses, highlighting the urgency for robust cybersecurity measures. Scam Sniffer data reveals losses amounting to hundreds of millions in digital assets in 2023 alone. Drainers exploit vulnerabilities in the wallet’s encoding process, evading detection and exacerbating the threat landscape.

Parallelly, the cybersecurity community grapples with emerging threats, such as the exploitation of critical vulnerabilities in popular WordPress plugins. The DFIR report uncovers exploitation of a critical flaw in the 3DPrint Lite plugin, paving the way for the deployment of the Godzilla web shell. This underscores the persistent efforts of threat actors to exploit weaknesses in widely-used platforms for malicious purposes.

Furthermore, the SocGholish campaign presents a new challenge, targeting WordPress websites through JavaScript malware distributed via modified legitimate plugins. Compromised admin credentials facilitate the installation of these plugins, setting the stage for potential ransomware attacks.

Ben Martin, another prominent figure in the cybersecurity domain, emphasizes the recurrent nature of such attacks. Despite variations in tactics, the end goal remains consistent: to deceive unsuspecting visitors into unwittingly facilitating cyber threats, ultimately serving as entry points for ransomware attacks.

In response to these evolving threats, stakeholders emphasize the imperative of proactive cybersecurity measures. WordPress site owners are urged to fortify their defenses, employing robust security protocols and staying vigilant against potential vulnerabilities. Collaboration within the cybersecurity community is paramount, enabling swift detection and mitigation of emerging threats.

As the cybersecurity landscape continues to evolve, vigilance and proactive measures remain the cornerstone of defense against malicious actors. By staying informed and adopting stringent security practices, WordPress sites can effectively safeguard against potential threats, ensuring a secure digital environment for all users.

1 thought on “WordPress Under Siege by Brute-Force Assaults”

  1. Pingback: Critical VPN Vulnerability in Cisco Secure Client: CVE-2024-20337

Comments are closed.

Scroll to Top