Sucuri's recent findings reveal a concerning trend where threat actors are orchestrating distributed brute-force attacks against WordPress sites, leveraging malicious JavaScript injections. Denis Sinegubko, a security researcher, highlights that innocent visitors' browsers unwittingly participate in these attacks, targeting WordPress sites.
This wave of attacks, a variation of a previously documented pattern, deviates from the typical crypto drainer injections seen before. Instead, the injected JavaScript code, identified on over 700 sites, initiates brute-force attacks using common and leaked passwords against other WordPress sites.
The attack unfolds in five stages, starting from obtaining a list of target sites to gaining unauthorized access. Each password attempt triggers the visitor's browser to send authentication requests, potentially leading to compromised credentials stored in WordPress uploads directories.
The motive behind the shift from crypto drainers to brute-force attacks remains unclear, although profit seems a likely driver. The significant losses incurred due to crypto wallet drainers in 2023 suggest financial incentives for attackers. Additionally, a critical flaw in the WordPress plugin 3DPrint Lite (CVE-2021-4436) has allowed threat actors to deploy the Godzilla web shell for persistent remote access.
Furthermore, a SocGholish campaign targets WordPress websites, distributing JavaScript malware through modified legitimate plugins. The ultimate goal remains consistent: tricking visitors into downloading remote access trojans for potential ransomware attacks.
This escalation underscores the importance of vigilance in WordPress security and the need for robust measures to safeguard against evolving threats.