Large-scale campaign targets configuration files from WordPress sites

Pierluigi Paganini June 04, 2020

Security experts have observed a large-scale campaign over the weekend aimed at stealing configuration files from WordPress sites.

Security researchers from WordFence have observed a large-scale campaign over the weekend aimed at stealing configuration files from WordPress sites.

Threat actors attempted to exploit well- known vulnerabilities in unpatched plugins to download configuration files from WordPress sites and steal database credentials.

“Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files.” reads the post published by WordFence.

“The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.”

The campaign accounted for 75% of all attempted exploits of WordPress issues, including plugin and theme vulnerabilities.

WordPress wp-config-attacks

The campaign targeted more than 1.3 million WordPress sites, Wordfence blocked more than 130 million exploitation attempts on its network alone, but experts believe the magnitude of the attack is far greater.

Experts noticed that the campaign involved over 20,000 different IP addresses that were also used in an XSS campaign that was observed in early May.

The new campaign is targeting nearly a million new sites that weren’t included in the previous XSS campaigns.

“As with the XSS campaigns, almost all of the attacks are targeted at older vulnerabilities in outdated plugins or themes that allow files to be downloaded or exported. In this case the attackers are attempting to download wp-config.php, a file critical to all WordPress installations which contains database credentials and connection information, in addition to authentication unique keys and salts.” continues the analysis. “An attacker with access to this file could gain access to the site’s database, where site content and users are stored.”

According to WordFence experts, the two campaigns, have most likely been carried out by the same attackers.

Experts also published Indicators of Compromise (IoCs) for the campaign.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WordPress, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment