Cybercriminals targeted around 1.3 million WordPress websites in a single day to steal database login credentials. It is found that hackers tried to steal config files by exploiting known XSS vulnerabilities in WordPress plugins and themes, according to a security alert issued by cybersecurity firm Wordfence.
The researchers stated that attackers tried to download the wp-config.php WordPress configuration file which contains connection details, authentication unique keys, and salts along with database credentials. In case attackers successfully exploited any vulnerable plugins used by the targeted sites, they could easily steal login credentials from the databases and take control over the websites.
Wordfence security engineer and threat analyst Ram Gall, said, “Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files. The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.”
One Cybercriminal Group Behind Multiple Attacks
Based on the IP addresses used to launch the attacks in this campaign, WordPress security researchers have been trying to link the current attack campaign to the recent cyberattacks targeting vulnerabilities in WordPress sites. Recently, threat actors tried to hack nearly one million WordPress sites by launching attacks from 24,000 different IP addresses and tried to break into more than 900,000 WordPress sites.
It was found that since April 28, 2020, unknown hackers engaged in this massive campaign that caused a 30 times increase in the volume of attack traffic. The attacks peaked on May 3, 2020, when the group launched more than 20 million hacking attempts against half a million domains. Attackers largely abused cross-site scripting (XSS) vulnerabilities to inject malicious JavaScript code on websites and redirect them to malicious sites.
