ClickCease WordPress Brute-Force Attacks: Sites Used As Staging Ground

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

WordPress Brute-Force Attacks: Sites Used As Staging Ground

Wajahat Raja

March 19, 2024 - TuxCare expert team

In a recent discovery by Sucuri, a concerning trend has emerged involving brute-force attacks on WordPress sites through malicious JavaScript injections. These WordPress brute-force attacks stand out for their stealthy approach. Security researcher Denis Sinegubko notes that these attacks specifically target WordPress websites through the browsers of unsuspecting site visitors.

 

Modus Operandi Of WordPress Brute-Force Attacks

Hacked WordPress sites are increasingly becoming targets for malicious actors. This series of WordPress brute-force attacks builds upon a previously documented strategy where compromised WordPress sites were manipulated to inject crypto drainers or redirect visitors to Web3 phishing sites containing drainer malware. 

However, the latest version, affecting over 700 sites thus far, doesn’t employ a drainer but instead relies on a list of common and leaked passwords to execute brute-force attacks on other WordPress sites. The attack unfolds in five stages, allowing threat actors to exploit compromised websites for launching distributed brute-force attacks on potential victim sites:

 

  1. Obtaining a List of Target WordPress Sites: The attackers compile a list of WordPress sites to target.
  2. Extracting Real Usernames: By extracting the usernames of authors posting on those domains, the attackers gather valuable information.
  3. Injecting Malicious JavaScript Code: The compromised WordPress sites are injected with malicious JavaScript code.
  4. Launching Distributed Brute-Force Attack: The attack is initiated when visitors land on the hacked sites, unknowingly becoming a part of the distributed brute-force attack.
  5. Malicious Login Attempts: The final stage involves obtaining unauthorized access to the targeted sites using the list of passwords.


Shift from Crypto Drainers to WordPress Brute-Force Exploits


The motive behind this shift from crypto drainers to distributed brute-force attacks remains unclear, but speculation points to profit motives. Compromised WordPress sites can be monetized in various ways. Crypto wallet drainers, responsible for significant digital asset losses in 2023, may have prompted threat actors to explore alternative, less attention-drawing methods.


Recognizing the Significance of Strong Passwords


Security researchers suggest that attackers may have realized the limitations of crypto drainers at their scale of infection, approximately 1000 compromised sites. Crypto drainers draw excessive attention, resulting in quick domain blocking. This shift underscores the importance of WordPress security measures that include creating robust passwords to fortify against potential threats.


Brute-Force Attack Prevention


To fortify your WordPress site against these website security vulnerabilities, consider implementing the following measures:

 

  1. Limiting Access to xmlrpc.php File and Admin Interface: Restrict access to the xmlrpc.php file and the WordPress admin interface to trusted IP addresses only. This helps prevent unauthorized entry points for attackers.
  2. Perimeter81 Malware Protection: Employ Perimeter81 malware protection to block a range of malicious entities, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. These can wreak havoc on your network if left unchecked.


Emerging Threats and Vulnerabilities


This development comes in the wake of a DFIR report revealing that threat actors exploit a critical flaw in the 3DPrint Lite WordPress plugin (CVE-2021-4436, CVSS score: 9.8) to deploy the Godzilla web shell for persistent remote access. Additionally, a SocGholish campaign, also known as FakeUpdates, targets WordPress websites by distributing JavaScript malware through modified versions of legitimate plugins. These plugins are installed by exploiting compromised admin credentials.

Security researcher Ben Martin emphasizes that, regardless of the various tactics used, the ultimate goal remains consistent – tricking unsuspecting website visitors into downloading remote access trojans. These trojans serve as the initial entry point for potential ransomware attacks.

 

Mitigating Cybersecurity Risks For WordPress


Brute-force attack mitigation requires proactive security measures. As the threat landscape shifts, the need for protecting WordPress websites becomes more evident. While the motive behind the recent shift from crypto drainers to distributed brute-force attacks remains speculative, it reinforces the importance of adapting security strategies to emerging threats.

 

Conclusion


In conclusion, safeguarding your WordPress site against evolving cyber threats necessitates a multi-faceted approach. Strengthening passwords, limiting access to critical files and interfaces, and deploying robust malware protection are crucial steps in fortifying your digital defenses. 

As threat actors adapt their tactics, staying informed, implementing proactive measures, and adopting WordPress security best practices will remain integral to maintaining the security and integrity of your online presence.

The sources for this piece include articles in The Hacker News and Bleeping Computer.

 

Summary
WordPress Brute-Force Attacks: Sites Used As Staging Ground
Article Name
WordPress Brute-Force Attacks: Sites Used As Staging Ground
Description
Hacked WordPress sites serve as attack staging grounds. Learn to strengthen your defense against WordPress brute-force attacks today.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter