Wordfence security experts warned about a large-scale campaign for hacking WordPress sites last weekend.
Hackers used old vulnerabilities in plugins and tried to download configuration files from sites.
Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files”, — write Wordfence experts.
Researchers report that attackers used old exploits to download or export wp-config.php files from vulnerable sites, extract credentials from the database, and then used the resulting usernames and passwords to capture databases.
Wordfence analysts write that this campaign accounted for up to 75% of all attempts to exploit vulnerabilities in plugins and WordPress themes. In fact, attacks on capturing configuration files tripled due to what happened.
If your server is configured to allow remote database access, an attacker with your database credentials could easily add an administrative user, exfiltrate sensitive data, or delete your site altogether”, — write Wordfence researchers.
Wordfence has blocked more than 130 million attempts to exploit various vulnerabilities that targeted more than 1,300,000 WordPress sites. However, keep in mind that the company’s statistics only covers the data sites of its own network, and the attacks aimed other sites outside it.
The attacks were carried out with 20,000 different IP addresses, most of which were previously used in another large-scale campaign, also targeted at WordPress sites and active in early May of this year.
So, during the first campaign, hackers used a number of XSS vulnerabilities and tried to create new administrator users on vulnerable sites and implement backdoors. This campaign was similar in its scale to the current one, since the XSS attacks of an unknown group outweighed all the other XSS attacks carried out by other hackers together (see illustration below). In total, the group tried to hack over 900,000 sites.
Now Wordfence experts believe that both campaigns are the work of the same hacker group, which simply tries different approaches. Also, some experts notice similar elements in last year’s one strange attack on users of WordPress plugins, which, due to various circumstances, was slightly forgotten.