390,000 WordPress Accounts Stolen in Large-Scale Attack

A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress login credentials in a 12-month long stealth campaign. This is a large-scale attack that abuses a trojanized WordPress login checker.

Researchers at Datadog Security Labs, who first discovered the attacks, said SSH private keys and AWS access keys were also stolen from the compromised systems of hundreds of different victims, believed to include administrative teams, penetration testers, security researchers, and malicious actors.

Victims were infected with the same second-stage payload pushed across dozens of trojanized GitHub repositories, delivering malicious proof-of-concept (PoC) processes targeting known vulnerabilities, along with a phishing campaign promoting the installation of a fake kernel upgrade disguised as a CPU microcode update.

In the past, attackers have used fake proof-of-concept processes to target researchers, hoping to steal valuable documents or gain access to cybersecurity companies' internal networks.

Due to misleading naming, some of these repositories are automatically included in legitimate sources, such as Feedly Threat Intelligence or Vulnmon, as PoC repositories for their respective vulnerabilities. This increases the legitimacy of the malware and the likelihood of attracting victims to launch it.

The malware was dropped through the GitHub repository using a variety of methods, including backdoored configuration files, malicious PDF files, Python droppers, and malicious npm packages included in project dependencies.

As discovered by Datadog Security Labs, the campaign overlaps with one outlined in a November Checkmarkx report on a year-long supply chain attack, in which the GitHub project "hpc20235/yawp" was trojanized with malicious code in the npm package "0xengine/xmlrpc" to steal data and mine the cryptocurrency Monero.

The malware deployed in these attacks included a cryptocurrency miner and a backdoor that enabled MUT-1244 to collect and steal private SSH keys, AWS credentials, environment variables, and key directory contents such as "~/.aws".

"MUT-1244 was able to access over 390,000 credentials, believed to be Wordpress logins. We assess with high confidence that before these credentials were put into Dropbox, they were already in the hands of the attackers, most likely stolen through illicit means," said researchers at Datadog Security Labs.

390,000 WordPress Accounts Stolen in Large-Scale Attack Picture 1

These actors were then compromised via the yawpp tool they used to check the validity of these credentials. Since MUT-1244 advertises yawpp as a 'credential checker' for WordPress, it is not surprising that an attacker with a set of stolen credentials (often purchased from underground markets as a way to accelerate malicious activity) would use yawpp to authenticate them.

The attackers successfully exploited trust within the cybersecurity community to compromise dozens of computers owned by both the white and black hat hacker communities, mostly by unwittingly executing the threat actor's malware, resulting in the theft of data including SSH keys, AWS access tokens, and command history.

Datadog Security Labs estimates that hundreds of systems remain compromised and many more are still being infected as part of this ongoing campaign.

Micah Soto

Update 20 December 2024