Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Large-scale campaign targets configuration files from WordPress sites

Security experts have observed a large-scale campaign over the weekend aimed at stealing configuration files from WordPress sites. Security researchers from WordFence have observed a large-scale campaign over the weekend aimed at stealing configuration files from WordPress sites. Threat actors attempted to exploit well- known vulnerabilities in unpatched plugins to download configuration files from WordPress […]

WordPress wp-config-attacks

Security experts have observed a large-scale campaign over the weekend aimed at stealing configuration files from WordPress sites.

Security researchers from WordFence have observed a large-scale campaign over the weekend aimed at stealing configuration files from WordPress sites.

Threat actors attempted to exploit well- known vulnerabilities in unpatched plugins to download configuration files from WordPress sites and steal database credentials.

“Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files.” reads the post published by WordFence.

“The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.”

The campaign accounted for 75% of all attempted exploits of WordPress issues, including plugin and theme vulnerabilities.

WordPress wp-config-attacks

The campaign targeted more than 1.3 million WordPress sites, Wordfence blocked more than 130 million exploitation attempts on its network alone, but experts believe the magnitude of the attack is far greater.

Experts noticed that the campaign involved over 20,000 different IP addresses that were also used in an XSS campaign that was observed in early May.

The new campaign is targeting nearly a million new sites that weren’t included in the previous XSS campaigns.

“As with the XSS campaigns, almost all of the attacks are targeted at older vulnerabilities in outdated plugins or themes that allow files to be downloaded or exported. In this case the attackers are attempting to download wp-config.php, a file critical to all WordPress installations which contains database credentials and connection information, in addition to authentication unique keys and salts.” continues the analysis. “An attacker with access to this file could gain access to the site’s database, where site content and users are stored.”

According to WordFence experts, the two campaigns, have most likely been carried out by the same attackers.

Experts also published Indicators of Compromise (IoCs) for the campaign.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WordPress, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]