Between May 29 and could 31, 2020, the Wordfence Firewall blocked over 130 million attacks designed to harvest data source credentials from 1.3 million sites by downloading their configuration files.
The peak of the attack campaign occurred on, may 30, 2020. At this stage, attacks from this marketing campaign accounted for 75% of most attempted exploits of plugin and style vulnerabilities over the WordPress ecosystem.
We could actually link these assaults to exactly the same threat actor previously targeting XSS vulnerabilities at an identical scale. All Wordfence customers, including Wordfence Superior and those still utilizing the free edition of Wordfence, are safeguarded by our firewall’s built-inside directory traversal security.
Different vulnerabilities, exact same IPs
The earlier reported XSS campaigns sent attacks from over 20,000 different IP addresses. The brand new campaign is utilizing the exact same IP addresses, which accounted in most of the episodes and websites targeted. This campaign can be attacking almost a million new websites that weren’t contained in the previous XSS promotions.
Like with the XSS strategies, the vast majority of the attacks are usually directed at older vulnerabilities inside outdated plugins or designs that allow data files to be downloaded or even exported. In cases like this the attackers are trying to download wp-config.php, a document critical to all or any WordPress installations which contains data source credentials and connection details, along with authentication unique keys and salts. An attacker with usage of this file could access the web site’s data source, where websites content and users are usually stored.
Indicators of Compromise
Episodes by this campaign ought to be visible inside your server logs. Search for any log entries that contains
wp-config.php inside the query string that returned the
200 reaction code.
The top 10 attacking IP addresses in this campaign are the following.
What must i do?
Sites running Wordfence are protected from this campaign. If your website isn't running Wordfence, and you also believe you have already been compromised, change your database password and authentication unique keys and salts immediately.
If your server is configured to permit remote database access, an attacker together with your database credentials could easily add an administrative user, exfiltrate sensitive data, or delete your website altogether. Even if your website will not allow remote database access, an attacker who knows your site’s authentication keys and salts might be able to use them to easier bypass other security mechanisms.
If you’re uncomfortable making the changes above, please contact your host, since changing your database password without updating the
wp-config.php file can temporarily remove your site.
In today’s post, we covered another large-scale attack campaign against WordPress sites by way of a threat actor we've been tracking since February. All Wordfence users, including sites running the free version of Wordfence, and Wordfence Premium, are protected against these attacks. Nonetheless, we urge one to ensure that all plugins and themes are kept current, and to share these details with any other online marketers or administrators you understand. Attacks by this threat actor are evolving and we'll continue to share more information since it becomes available.
The post Large Scale Attack Campaign Targets Database Credentials appeared first on Wordfence.