Hacked WordPress sites have been leveraged to facilitate distributed brute-force attacks against other websites through malicious JavaScript injections as part of an attack campaign that initially involved the exploitation of compromised WordPress sites to enable crypto drainer injections, The Hacker News reports.
After securing a list of targeted WordPress sites and conducting author username extraction, threat actors proceed with malicious JavaScript code injections into breached websites. Attacks are then launched once such websites are visited by unsuspecting users, enabling unauthorized access to the initially targeted sites, a report from Sucuri showed. "For every password in the list, the visitor's browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted credentials that were used to authenticate this specific request. If authentication succeeds, a small text file with valid credentials is created in the WordPress uploads directory," said Sucuri researcher Denis Sinegubko. Such a development comes after a new SocGholish malware campaign was reported to involve the impersonation of WordPress plugins.
