In a recent cybersecurity discovery, website security firm Sucuri has uncovered a widespread attack on WordPress sites. Hackers are injecting malicious scripts into compromised WordPress sites, which then utilize visitors' browsers to conduct brute force attacks on other websites. This alarming campaign highlights the vulnerabilities of WordPress sites and the potential for unsuspecting users to unwittingly participate in cyber attacks.
The Rise of Crypto Wallet Drainers:
The initial focus of the hacking campaign was to inject crypto wallet drainer scripts into compromised WordPress sites. Crypto wallet drainers are malicious scripts that are designed to steal cryptocurrency and other assets when users connect their wallets to certain websites. The attackers would deceive visitors by displaying misleading messages, convincing them to connect their wallets, only to have their assets stolen in the process.
Building a Brute Force Army:
As the campaign progressed, the threat actors shifted their strategy. Instead of solely focusing on crypto wallet draining, they turned their attention to leveraging visitors' browsers to conduct brute force attacks on other WordPress sites. In such attacks, the hackers attempt to log in to accounts using different passwords to find the correct one. Once successful, they could steal sensitive data, inject malicious scripts, or encrypt files on the compromised site.
The Process of the Attack:
To carry out the brute force attacks, the hackers compromise a WordPress site and inject malicious code into the HTML templates. When visitors access these compromised sites, their browsers load the injected scripts from the malicious domain 'https://dynamic-linx.com/chx.js.' These scripts then quietly communicate with the threat actors' server at 'https://dynamic-linx.com/getTask.php' to receive a password brute forcing task.
The task is delivered to the visitor's browser in the form of a JSON file containing parameters for the brute force attack. It includes the ID, website URL, account name, and a batch of one hundred passwords to try. The visitor's browser then uploads the JSON data via the WordPress site's XMLRPC interface, attempting each password in the batch until a correct one is found.
Implications and Future Threats:
Sucuri's research reveals that there are currently over 1,700 compromised sites being used to spread these scripts and loaders, creating a large pool of unwitting participants in this distributed brute force army. One of the significant concerns is the potential scale of future attacks that can be launched from the compromised sites. The attackers could carry out crypto-draining attacks or other nefarious activities, leveraging their extensive portfolio of compromised websites.
Conclusion:
The discovery of hacked WordPress sites being used to exploit visitors' browsers for brute force attacks on other sites is a stark reminder of the ever-evolving threat landscape. This campaign underscores the importance of maintaining robust website security measures and regularly updating WordPress installations to mitigate the risk of exploitation. Web administrators and visitors alike must remain vigilant and implement necessary precautions to safeguard against these types of attacks. Awareness, proactive security practices, and staying informed about emerging threats are crucial in the ongoing battle against cybercriminals.
