March 6, 2024 at 05:40PM
Hackers have been targeting WordPress sites with widescale attacks, initially using crypto wallet drainer scripts to steal cryptocurrency. More recently, they have switched to injecting malicious scripts that force visitors’ browsers to conduct bruteforce attacks on other websites. The threat actor’s goal seems to be building a larger portfolio of compromised sites for future attacks.
Based on the meeting notes, the key takeaways are as follows:
1. Hackers are conducting widescale attacks on WordPress sites to inject scripts that force visitors’ browsers to bruteforce passwords for other sites.
2. Threat actors have been tracking a threat actor known for breaching sites to inject crypto wallet drainer scripts, which steal all cryptocurrency and assets when someone connects their wallet.
3. Threat actors are creating fake Web3 sites with wallet drainers and promoting them through various channels to steal visitors’ cryptocurrency.
4. The threat actor injected the AngelDrainer wallet drainer in multiple waves from multiple URLs, the last being ‘dynamiclink[.]lol/cachingjs/turboturbo.js.’
5. In late February, the threat actor switched from wallet draining to hijacking visitors’ browsers to bruteforce other WordPress sites using a malicious script from a newly registered domain ‘dynamic-linx[.]com/chx.js’.
6. The attackers are using compromised WordPress sites to force visitors’ browsers to conduct bruteforce attacks for account credentials on other websites by having the browser quietly contact the threat actors’ server to receive a password bruteforcing task.
7. The attackers are using over 1,700 compromised sites or their loaders to build a distributed bruteforce army for larger scale attacks.
These are the key points synthesized from the meeting notes regarding the ongoing hacking campaign. Let me know if you need any further information or analysis.