390,000 WordPress Accounts Stolen in Massive Supply Chain Cyberattack

Introduction

A sophisticated year-long cyberattack orchestrated by a threat actor known as MUT-1244 has resulted in the theft of over 390,000 WordPress account credentials. This large-scale campaign not only targeted WordPress users but also ensnared cybersecurity professionals and malicious actors by leveraging trojanized tools and phishing tactics. The findings, revealed by researchers at Datadog Security Labs, highlight the growing risks associated with supply chain vulnerabilities and deceptive online repositories.

Key Targets and Stolen Data

The attack was highly strategic, with stolen data including SSH private keys, AWS access tokens, and sensitive environment variables. Victims of this campaign ranged from red teamers and penetration testers to security researchers and malicious actors. The compromised credentials and data were exploited through various methods, including:

• Trojanized WordPress credential checkers.
• Malicious GitHub repositories containing fake proof-of-concept (PoC) exploits.
• Phishing emails prompting victims to install a fake kernel update disguised as a CPU microcode upgrade.

How the Attack Unfolded

The campaign relied on a two-stage approach to infect victims. In the first stage, phishing emails lured targets into executing commands that installed malware. Simultaneously, trojanized GitHub repositories attracted security professionals and threat actors searching for exploit code targeting specific vulnerabilities.

The malicious repositories appeared legitimate due to their names and descriptions, leading them to be automatically included in reputable sources such as Feedly Threat Intelligence and Vulnmon. This veneer of authenticity significantly increased the likelihood of unsuspecting users executing the malicious payloads.

The Role of GitHub and Trojanized Tools

A critical aspect of the attack involved GitHub repositories that hosted the payloads. The attackers used various methods to deliver the malware, including:

• Backdoored configuration files.
• Malicious PDF files.
• Python droppers.
• Compromised npm packages integrated into project dependencies.

These trojanized tools were used to deploy cryptocurrency miners and backdoors. The malware facilitated data exfiltration, targeting sensitive files and directories such as “~/.aws” and other key system locations. Investigators also discovered hardcoded credentials within the malware, allowing stolen data to be uploaded to platforms like Dropbox and file.io.

The Impact of Fake Proof-of-Concept Exploits

Fake PoC exploits were central to the success of this campaign. Security researchers and threat actors often rely on these repositories to test vulnerabilities and develop countermeasures. By capitalizing on this trust, MUT-1244 infiltrated networks belonging to both white hat and black hat hackers. Once the malware was executed, it enabled the theft of SSH keys, AWS credentials, and command histories.

Connection to Previous Attacks

Datadog Security Labs’ findings reveal overlaps between this campaign and a supply chain attack reported by Checkmarkx in November. The earlier attack involved a GitHub project called “hpc20235/yawp”, which contained malicious code in the “0xengine/xmlrpc” npm package. This malicious package was used to steal credentials and mine Monero cryptocurrency. The second-stage payload in the current campaign also enabled data exfiltration to file-sharing platforms, underscoring the persistence and sophistication of these operations.

Exploiting Trust in the Cybersecurity Community

MUT-1244 effectively exploited the trust inherent in the cybersecurity community. By advertising the yawpp tool as a WordPress credential checker, the group attracted attackers who had already obtained stolen credentials from underground markets. These users inadvertently validated the stolen credentials through yawpp, only to fall victim themselves as the malware compromised their systems.

Ongoing Threat and Recommendations

Datadog Security Labs estimates that hundreds of systems remain compromised and new infections continue to occur. The attackers’ ability to exploit supply chain vulnerabilities and trust among cybersecurity professionals highlights the need for heightened vigilance.

To mitigate such risks, organizations and individuals are advised to:

• Scrutinize the sources of tools and repositories before using them.
• Regularly update security protocols and software.
• Deploy endpoint detection and response (EDR) solutions to monitor suspicious activity.
• Educate teams about phishing tactics and supply chain risks.

Conclusion

The MUT-1244 campaign serves as a stark reminder of the evolving threat landscape and the importance of proactive cybersecurity measures. By exploiting trust and leveraging supply chain vulnerabilities, attackers managed to steal vast amounts of sensitive data, impacting both ethical and malicious actors. The cybersecurity community must remain vigilant to prevent such breaches in the future.