Mar 07, 2024NewsroomVulnerability / Web Security

Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal.

The attacks, which take the form of distributed brute-force attacks, “target WordPress websites from the browsers of completely innocent and unsuspecting site visitors,” security researcher Denis Sinegubko said.

The activity is part of a previously documented attack wave in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware.

The latest iteration is notable for the fact that the injections – found on over 700 sites to date – don’t load a drainer but rather use a list of common and leaked passwords to brute-force other WordPress sites.

The attack unfolds over five stages, enabling a threat actor to take advantage of already compromised websites to launch distributed brute-force attacks against other potential victim sites –

• Obtaining a list of target WordPress sites
• Extracting real usernames of authors that post on those domains
• Inject the malicious JavaScript code to already infected WordPress sites
• Launching a distributed brute-force attack on the target sites via the browser when visitors land on the hacked sites
• Gaining unauthorized access to the target sites

“For every password in the list, the visitor’s browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted credentials that were used to authenticate this specific request,” Sinegubko explained. “If authentication succeeds, a small text file with valid credentials is created in the WordPress uploads directory.”

It’s currently not known what prompted the threat actors to switch from crypto drainers to distributed brute-force attack, although it’s believed that the change may have been driven by profit motives, as compromised WordPress sites could be monetized in various ways.

That said, crypto wallet drainers have led to losses amounting to hundreds of millions in digital assets in 2023, according to data from Scam Sniffer. The Web3 anti-scam solution provider has since revealed that drainers are exploiting the normalization process in the wallet’s EIP-712 encoding procedure to bypass security alerts.

The development comes as the DFIR report revealed that threat actors are exploiting a critical flaw in a WordPress plugin named 3DPrint Lite (CVE-2021-4436, CVSS score: 9.8) to deploy the Godzilla web shell for persistent remote access.

It also follows a new SocGholish (aka FakeUpdates) campaign targeting WordPress websites in which the JavaScript malware is distributed via modified versions of legitimate plugins that are installed by taking advantage of compromised admin credentials.

“Although there have been a variety of maliciously modified plugins and several different fake-browser update campaigns, the goal of course is always the same: To trick unsuspecting website visitors into downloading remote access trojans that will later be used as the initial point of entry for a ransomware attack,” security researcher Ben Martin said.

Jan 11, 2024NewsroomOnline Security / Cryptocurrency

The compromise of Mandiant’s X (formerly Twitter) account last week was likely the result of a “brute-force password attack,” attributing the hack to a drainer-as-a-service (DaaS) group.

“Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected,” the threat intelligence firm said in a post shared on X.

The attack, which took place on January 3, 2023, enabled the threat actor to take control of the company’s X account and distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK.

Drainers refer to malicious scripts and smart contracts that facilitate the theft of digital assets from the victim’s wallets after they are tricked into approving the transactions.

According to the Google-owned subsidiary, multiple threat actors are believed to have leveraged CLINKSINK since December 2023 to siphon funds and tokens from Solana (SOL) cryptocurrency users.

As observed in the case of other drainers like Angel Drainer and Inferno Drainer, affiliates are roped in by the DaaS operators to conduct the attacks in exchange for a cut (typically 20%) of the stolen assets.

The identified activity cluster involves at least 35 affiliate IDs and 42 unique Solana wallet addresses, collectively netting the actors no less than $900,000 in illegal profits.

The attack chains involve the use of social media and chat applications such as X and Discord to distribute cryptocurrency-themed phishing pages that encourage the targets to connect their wallets to claim a bogus token airdrop.

“After connecting their wallet, the victim is then prompted to sign a transaction to the drainer service, which allows it to siphon funds from the victim,” security researchers Zach Riddle, Joe Dobson, Lukasz Lamparski, and Stephen Eckels said.

CLINKSINK, a JavaScript drainer, is designed to open a pathway to the targeted wallets, check the current balance on the wallet, and ultimately pull off the theft after asking the victim to sign a fraudulent transaction. This also means that the attempted theft will not succeed if the victim rejects the transaction.

The drainer has also spawned several variants, including Chick Drainer (or Rainbow Drainer), raising the possibility that the source code is available to multiple threat actors, allowing them to mount independent draining campaigns.

“The wide availability and low cost of many drainers, combined with a relatively high potential for profit, likely makes them attractive operations for many financially motivated actors,” Mandiant said.

“Given the increase in cryptocurrency values and the low barrier to entry for draining operations, we anticipate that financially motivated threat actors of varying levels of sophistication will continue to conduct drainer operations for the foreseeable future.”

The development comes amid an uptick in attacks targeting legitimate X accounts to spread cryptocurrency scams.

Earlier this week, the X account associated with the U.S. Securities and Exchange Commission (SEC) was breached to falsely claim that the regulatory body had approved the “listing and trading of spot bitcoin exchange-traded products,” causing bitcoin prices to spike briefly.

X has since revealed the hack was the result of “an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third-party,” and that the account did not have two-factor authentication enabled.