Recent Threats Targeting WordPress Sites via Distributed Brute-Force Attacks
Recent findings from cybersecurity firm Sucuri have unveiled a significant threat facing WordPress website owners. A new wave of brute-force attacks has emerged, employing malicious JavaScript injections that exploit unknowing visitors’ browsers. The research indicates that these attacks constitute distributed brute-force efforts aimed directly at WordPress sites.
According to security researcher Denis Sinegubko, these attacks uniquely leverage the browsers of innocent site visitors to launch their assaults. This alarming trend is part of a broader scheme previously documented, where compromised WordPress platforms were weaponized to introduce crypto drainers like Angel Drainer or redirect traffic to phishing sites packed with malware targeting Web3 users.
The current attack iteration is distinct in that the malicious injections—identified on over 700 websites—are not used to facilitate crypto drainers. Instead, these injections utilize a roster of commonly leaked or weak passwords for brute-forcing other WordPress sites. The attack procedure unfolds in multiple stages, allowing threat actors to exploit already compromised websites to extend their reach to new targets.
Initially, the attack begins with acquiring a list of potential WordPress sites to target. The malicious actors extract real usernames associated with these domains, followed by the injection of harmful JavaScript into already infected sites. When visitors land on these compromised platforms, their browsers are enlisted to execute distributed brute-force login attempts against the identified target sites. If successful, these actions result in unauthorized access, creating a backdoor into the victim sites.
Sinegubko elaborated on the mechanics of the attack, noting that for each password in the attackers’ list, the browser sends an XML-RPC API request to upload a small text file containing the valid credentials obtained through successful authentication. If the login succeeds, the attacker gains a new entry into the targeted WordPress site’s uploads directory, further compromising its security.
As to the rationale behind this shift from crypto drainers to distributed brute-force tactics, motives likely revolve around monetization strategies. Compromised WordPress sites can yield substantial financial gains if accessed by attackers, opening avenues for further exploits. However, cryptocurrency wallet drainers have previously generated losses amounting to hundreds of millions of dollars in 2023, indicating the potential profitability of various malicious methods.
Recent developments have highlighted additional vulnerabilities exploited by threat actors. A report outlined how hackers leveraged a critical flaw within the 3DPrint Lite WordPress plugin, which has a CVSS score of 9.8, to deploy the Godzilla web shell, affording them persistent remote access. This follows a separate campaign targeting WordPress sites with modified versions of legitimate plugins, employing social engineering to lure visitors into inadvertently downloading malware.
Cybersecurity professionals emphasize the importance of robust security measures, particularly for website owners operating on platforms like WordPress. Effective strategies may include regular updates of plugins, stringent password policies, and the implementation of firewalls to mitigate potential breaches. Employing tools to monitor site integrity can also be vital in detecting unauthorized changes.
In summary, the troubling trend of distributed brute-force attacks on WordPress sites underscores the need for heightened vigilance and proactive cybersecurity measures. Business owners must be prepared to defend against such evolving threats to safeguard their online assets and maintain the integrity of their digital environments.
