Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal.
威胁行为者正在利用恶意JavaScript注入对WordPress网站进行暴力攻击,Sucuri的最新发现显示。
The attacks, which take the form of distributed brute-force attacks, "target WordPress websites from the browsers of completely innocent and unsuspecting site visitors," security researcher Denis Sinegubko said.
这些攻击以分布式暴力攻击的形式出现,安全研究员Denis Sinegubko表示,“从完全无辜和毫无戒心的网站访问者的浏览器中针对WordPress网站进行攻击”。
The activity is part of a previously documented attack wave in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware.
这一活动是先前记录的一波攻击中的一部分,受影响的WordPress网站被用来直接注入加密器或将网站访问者重定向到包含加密器恶意软件的Web3钓鱼网站。
The latest iteration is notable for the fact that the injections – found on over 700 sites to date – don't load a drainer but rather use a list of common and leaked passwords to brute-force other WordPress sites.
最新版本值得注意的地方在于这些注入(截至目前在超过700个网站上发现)不会加载加密器,而是使用常见和泄露的密码列表对其他WordPress网站进行暴力攻击。
The attack unfolds over five stages, enabling a threat actor to take advantage of already compromised websites to launch distributed brute-force attacks against other potential victim sites -
攻击分为五个阶段,使威胁行为者能够利用已经受到感染的网站发起对其他潜在受害者网站的分布式暴力攻击。
-
Obtaining a list of target WordPress sites
获取目标WordPress网站列表
-
Extracting real usernames of authors that post on those domains
提取发布在这些域上的真实作者的用户名
-
Inject the malicious JavaScript code to already infected WordPress sites
向已感染的WordPress网站注入恶意JavaScript代码
-
Launching a distributed brute-force attack on the target sites via the browser when visitors land on the hacked sites
当访问者落在被黑客攻击的网站上时,通过浏览器对目标网站发起分布式暴力攻击
-
Gaining unauthorized access to the target sites
未经授权地访问目标网站
"For every password in the list, the visitor's browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted credentials that were used to authenticate this specific request," Sinegubko explained. "If authentication succeeds, a small text file with valid credentials is created in the WordPress uploads directory."
Sinegubko解释说,“对于列表中的每个密码,访问者的浏览器会发送wp.uploadFile XML-RPC API请求,上传一个带有用于验证此特定请求的加密凭据的文件。如果认证成功,将在WordPress上传目录中创建一个包含有效凭据的小型文本文件。”
It's currently not known what prompted the threat actors to switch from crypto drainers to distributed brute-force attack, although it's believed that the change may have been driven by profit motives, as compromised WordPress sites could be monetized in various ways.
目前尚不清楚是什么促使威胁行为者从加密器转向分布式暴力攻击,尽管人们认为这种变化可能是出于利润动机,因为受到感染的WordPress网站可以以各种方式实现货币化。
That said, crypto wallet drainers have led to losses amounting to hundreds of millions in digital assets in 2023, according to data from Scam Sniffer. The Web3 anti-scam solution provider has since revealed that drainers are exploiting the normalization process in the wallet's EIP-712 encoding procedure to bypass security alerts.
与此同时,根据Scam Sniffer的数据,加密钱包加密器导致2023年数字资产损失达数亿美元。Web3反欺诈解决方案提供商此后已经揭示,加密器正在利用钱包的EIP-712编码过程中的规范化过程来绕过安全警报。
The development comes as the DFIR report revealed that threat actors are exploiting a critical flaw in a WordPress plugin named 3DPrint Lite (CVE-2021-4436, CVSS score: 9.8) to deploy the Godzilla web shell for persistent remote access.
这一发展发生在DFIR报告揭示威胁行为者正在利用名为3DPrint Lite的WordPress插件中的一个关键漏洞(CVE-2021-4436,CVSS评分:9.8)部署Godzilla Web Shell以实现持久性远程访问。
It also follows a new SocGholish (aka FakeUpdates) campaign targeting WordPress websites in which the JavaScript malware is distributed via modified versions of legitimate plugins that are installed by taking advantage of compromised admin credentials.
此外,还有一场新的SocGholish(又名FakeUpdates)活动正在针对WordPress网站,其中JavaScript恶意软件通过修改后的合法插件的版本进行传播,利用受损管理凭据安装。
"Although there have been a variety of maliciously modified plugins and several different fake-browser update campaigns, the goal of course is always the same: To trick unsuspecting website visitors into downloading remote access trojans that will later be used as the initial point of entry for a ransomware attack," security researcher Ben Martin said.
安全研究员Ben Martin表示,“尽管存在各种恶意修改的插件和几种不同的伪造浏览器更新活动,但目标当然总是相同的:欺骗毫不知情的网站访问者下载远程访问特洛伊木马,以后将被用作勒索软件攻击的初始入口点。”
参考资料
[1]https://thehackernews.com/2024/03/hacked-wordpress-sites-abusing-visitors.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
原文始发于微信公众号(知机安全):黑客利用WordPress站点滥用访客浏览器进行分布式暴力攻击
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论