A large scale attack targeted hundreds of thousands of WordPress websites over the course of 24 hours, attempting to harvest database credentials by stealing config files after abusing known XSS vulnerabilities in WordPress plugins and themes.
“Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files,” Wordfence QA engineer and threat analyst Ram Gall said.
“The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.”
The attackers were trying to download the wp-config.php WordPress configuration file which contains database credentials and connection info, besides authentication unique keys, and salts.
If they successfully exploited any vulnerable plugins used by the targeted sites, the hackers could easily steal credentials from their databases and takeover the websites.
“Attacks by this campaign should be visible in your server logs,” Gall explained. “Look for any log entries containing wp-config.php in the query string that returned a 200 response code.”
One threat actor behind multiple large-scale WordPress attacks
Based on the 20,000 different IP addresses used to launch the attacks in this campaign, the WordPress security provider’s researchers were able to link this massive campaign to another large-scale attack that started on April 28 and resurfaced on May 11 to also target hundreds of thousands of vulnerable WordPress sites.
In that campaign, the threat actor—tracked by Wordfence since February—was attempting to plant backdoors or to redirect visitors to malvertising sites by exploiting cross-site scripting (XSS) vulnerabilities in plugins patched months or even years ago and previously targeted in other attacks.
The attackers behind these campaigns were able to launch more than 20 million attacks against over half a million sites on May 3rd alone.
To defend against this type of attack, WordPress site owners and admins should keep all their plugins and themes up to date to patch the vulnerabilities this threat actor is trying to exploit to compromise their sites,
They should also delete or disable the ones that were removed from WordPress’ repository since they are no longer maintained and they could come with previously undiscovered security vulnerabilities that will never be patched.