Threat actors are conducting brute force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal.
The attacks, which take the form of distributed brute force attacks, “target WordPress websites from the browsers of completely innocent and unsuspecting site visitors,” said security researcher Denis Sinegubko.
The activity is part of a previously documented wave of attacks in which compromised WordPress sites have been used to directly inject crypto drainers such as Angel Drainer or redirect site visitors to Web3 phishing sites containing drainer malware.
The latest iteration is notable for the fact that the injections – found on over 700 sites to date – do not load a drainer but rather use a list of common, leaked passwords to brute force crack other WordPress sites.
The attack unfolds in five phases, allowing the threat actor to take advantage of already compromised websites to launch distributed brute force attacks against other potential victim sites:
- Get a list of target WordPress sites
- Extract real usernames of authors posting on those domains
- Injects malicious JavaScript code into already infected WordPress sites
- Launch a distributed brute force attack on target sites via the browser when visitors land on the compromised sites
- Gain unauthorized access to target sites
“For each password in the list, the visitor’s browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted credentials used to authenticate this specific request,” Sinegubko explained. “If authentication is successful, a small text file with valid credentials is created in the WordPress uploads directory.”
It is currently unknown what prompted the threat actors to switch from crypto drainers to distributed brute force attacks, although it is believed that the change may have been driven by profit motives, as compromised WordPress sites could be monetized in various ways.
That said, according to data from Scam Sniffer, crypto wallet drainers have led to losses amounting to hundreds of millions in digital assets in 2023. Anti-scam solutions provider Web3 has since revealed that drainers are exploiting the process of normalization in the wallet’s EIP-712 encryption procedure to bypass security warnings.
The development comes as the DFIR report revealed that threat actors are exploiting a critical flaw in a WordPress plugin called 3DPrint Lite (CVE-2021-4436, CVSS Score: 9.8) to deploy the Godzilla web shell for remote access persistent.
It also follows a new SocGholish (also known as FakeUpdates) campaign targeting WordPress websites where JavaScript malware is distributed via modified versions of legitimate plugins installed by exploiting compromised administrator credentials.
“Although there have been a number of maliciously modified plugins and several fake browser update campaigns, the goal is of course always the same: to trick unsuspecting website visitors into downloading remote access trojans which will later be used as a point of initial access for a ransomware attack,” said security researcher Ben Martin.