Large-scale attack tries to steal configuration files from WordPress sites

Attackers tried to download configuration files from WordPress sites so they could steal database credentials.
Written by Catalin Cimpanu, Contributor
Image: ZDNet, WordPress

Hackers have launched a massive campaign against WordPress websites over the past weekend, attacking old vulnerabilities in unpatched plugins to download configuration files from WordPress sites.

The goal of the attack was to use old exploits to download or export wp-config.php files from unpatched websites, extract database credentials, and then use the usernames and passwords to take over databases.

Ram Gall, a threat analyst at Wordfence, a provider of web application firewall (WAF) services, said that last weekend's attack was of massive proportions when compared to what the company was seeing on a daily basis.

Gall said "this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem."

According to an attack chart WordFence published today part of a threat alert, the config-grab attacks tripled any other form of attack against WordPress sites.

Image: Wordfence

Gall said Wordfence blocked more than 130 million exploitation attempts on its network alone, which targeted more than 1.3 million WordPress sites, however, the attacks are believed to have targeted even many more other sites, not covered by the company's network.

The Wordfence engineer said the attacks were carried out from a network of 20,000 different IP addresses. Most of these IPs were also previously used in another large-scale campaign that targeted WordPress sites at the start of May.

During the first campaign, the threat actor used a batch of XSS (cross-site scripting) vulnerabilities and attempted to insert new admin users and backdoors on targeted sites.

The first campaign was also similarly massive in scale, as the group's XSS attacks outweighed all the XSS attacks carried out by other groups combined (see second chart below).

Gall believes the two campaigns, albeit they targeted different vulnerabilities, have most likely been orchestrated by the same threat actor.

Image: Wordfence

What's in a name? These DevOps tools come with strange backstories

Editorial standards