Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen

Researchers found a malicious package on NPM, uploaded a year ago
It was benign at first, and introduced malware later via an update
The malware stole hundreds of thousands of secrets and installed cryptojackers on dozes of computers

For roughly a year, hackers have been infecting red teamers, penetration testers, security researchers, as well as other hackers, with a piece of malware that steals WordPress credentials and other sensitive data, and installs cryptominers on compromised endpoints.

As a result, login credentials for some 390,000 WordPress accounts were stolen, and dozens of systems were found mining Monero.

NEVER MISS: State Dept. officials hinted at Israeli 'war crimes,' pushed Gaza aid days after Oct. 7 Hamas attack: report

Cybersecurity researchers Datadog Security Labs spotted the attack on the NPM package repository, and in GitHub, after researchers from Checkmarx also sounded the alarm on the same campaign recently.

The package was pretending to be an XML-RPC implementation, and was first uploaded to the repository in October 2023. Until November 2024, when it was finally discovered as malicious, it received 16 updates.

Legitimate at first

Datadog noted ho the attackers were tactical in their approach, first uploading a package that was legitimate and worked as intended. The malicious code was introduced in later versions, and designed to steal SSH keys, bash history, and other data, every 12 hours. The data it collects would get extracted either via Dropbox, or File.io.

NEVER MISS: FBI declines to say whether it will fire, discipline agent who said attack was 'not a terrorist event'

To make matters worse, researchers and security pros that would introduce XML-RPC into their own products would just expand the reach of the malware, turning it into a full-blown supply chain attack.

Datadog said that ultimately, the team found 68 compromised systems that were actively mining the Monero currency. Monero, with the XMR ticker, is most often mined with a cryptojacker called XMRig. This is a popular currency among thieves since it’s fully anonymous and very difficult to trace.

The identity of the threat actors was not discovered, but the researchers dubbed the group MUT-1224, which is short for Mysterious Unattributed Threat.

Major code repositories remain a vital platform for cybercriminals, the researchers concluded, stressing that developers should be extra careful when using open-source software.

Via BleepingComputer

Source link

Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen

Leave a Reply Cancel reply

Signup For Updates