June 3

Large Scale Attack Marketing campaign Targets Database Credentials

WordPress Security

0  comments

This post was originally published on this site

Between May 29 and could 31, 2020, the Wordfence Firewall blocked over 130 million attacks designed to harvest data source credentials from 1.3 million sites by downloading their configuration files.

The peak of the attack campaign occurred on, may 30, 2020. At this stage, attacks from this marketing campaign accounted for 75% of most attempted exploits of plugin and style vulnerabilities over the WordPress ecosystem.

A graph displaying the spike in assaults
We could actually link these assaults to exactly the same threat actor previously targeting XSS vulnerabilities at an identical scale. All Wordfence customers, including Wordfence Superior and those still utilizing the free edition of Wordfence, are safeguarded by our firewall’s built-inside directory traversal security.

Different vulnerabilities, exact same IPs

The earlier reported XSS campaigns sent attacks from over 20,000 different IP addresses. The brand new campaign is utilizing the exact same IP addresses, which accounted in most of the episodes and websites targeted. This campaign can be attacking almost a million new websites that weren’t contained in the previous XSS promotions.

Like with the XSS strategies, the vast majority of the attacks are usually directed at older vulnerabilities inside outdated plugins or designs that allow data files to be downloaded or even exported. In cases like this the attackers are trying to download wp-config.php, a document critical to all or any WordPress installations which contains data source credentials and connection details, along with authentication unique keys and salts. An attacker with usage of this file could access the web site’s data source, where websites content and users are usually stored.

Indicators of Compromise

Episodes by this campaign ought to be visible inside your server logs. Search for any log entries that contains wp-config.php inside the query string that returned the 200 reaction code.

The top 10 attacking IP addresses in this campaign are the following.

200.25.60.53
51.255.79.47
194.60.254.42
31.131.251.113
194.58.123.231
107.170.19.251
188.165.195.184
151.80.22.75
192.254.68.134
93.190.140.8

What must i do?

Sites running Wordfence are protected from this campaign. If your website isn't running Wordfence, and you also believe you have already been compromised, change your database password and authentication unique keys and salts immediately.

If your server is configured to permit remote database access, an attacker together with your database credentials could easily add an administrative user, exfiltrate sensitive data, or delete your website altogether. Even if your website will not allow remote database access, an attacker who knows your site’s authentication keys and salts might be able to use them to easier bypass other security mechanisms.

If you’re uncomfortable making the changes above, please contact your host, since changing your database password without updating the wp-config.php file can temporarily remove your site.

Conclusion

In today’s post, we covered another large-scale attack campaign against WordPress sites by way of a threat actor we've been tracking since February. All Wordfence users, including sites running the free version of Wordfence, and Wordfence Premium, are protected against these attacks. Nonetheless, we urge one to ensure that all plugins and themes are kept current, and to share these details with any other online marketers or administrators you understand. Attacks by this threat actor are evolving and we'll continue to share more information since it becomes available.

The post Large Scale Attack Campaign Targets Database Credentials appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

How exactly to Fix “ARE YOU CURRENTLY Sure You should do This?” Error within WordPress site

WordPress 5.4.2 Patches Several XSS Vulnerabilities

How to Prevent IP Addresses TO SAFEGUARD Your WordPress Site

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!