Wordfence Specialists warned about a massive campaign targeting WordPress sites. Last weekend, hackers attacked old vulnerabilities in plugins and tried to download configuration files from sites.
Researchers report that attackers used old exploits to download or export wp-config.php files from vulnerable sites, extract credentials from the database, and then used the resulting usernames and passwords to capture databases.
Wordfence analysts write that this campaign accounted for about 75% of all attempts to exploit vulnerabilities in plugins and WordPress themes. In fact, attacks on capturing configuration files tripled due to what happened.
Wordfence has blocked more than 130 million attempts to exploit various vulnerabilities that targeted more than 1,300,000 WordPress sites. But keep in mind that the company’s statistics only covers the data sites of its own network, and the attacks were clearly directed to other sites outside it.
The attacks were carried out with 20,000 different IP addresses, most of which were previously used in another large-scale campaign that also targeted WordPress sites and was active in early May of this year.
So, during the first campaign, hackers used a number of XSS vulnerabilities and tried to create new administrator users on vulnerable sites and implement backdoors. This campaign was no less large-scale than the current one, since the XSS attacks of an unknown group outweighed all the other XSS attacks carried out by other hackers together (see illustration below). In total, the group tried to hack over 900,000 sites.
Now Wordfence experts believe that both campaigns are the work of the same hacker group, which simply tries different approaches.