Wordfence specialists warned about a massive campaign targeting WordPress sites. Over the weekend, hackers attacked old vulnerabilities in plugins and tried to download configuration files from websites.
Researchers report that the attackers used old exploits to download or export wp-config.php files from vulnerable sites, extract database credentials, and then use the obtained usernames and passwords to take over the databases.
Wordfence analysts write that this campaign accounted for about 75% of all attempts to exploit vulnerabilities plugins and themes for WordPress. In fact, configuration file hijacking attacks have tripled because of what happened.
Wordfence has blocked over 130,000,000 attempts to exploit various vulnerabilities that have targeted over 1,300,000 WordPress sites. But keep in mind that the company’s statistics cover only the sites data of its own network, and the attacks were clearly directed to other sites outside of it.
Attacks were carried out from 20,000 different IP addresses, most of which were previously used in another large-scale campaign also targeting WordPress sites and active at the beginning of May this year.
So, during the first campaign, hackers used a number of XSS vulnerabilities and tried to create new administrator users on vulnerable sites and introduce backdoors. This campaign was no less massive than the current one, as XSS attacks by an unknown group outweighed all other XSS attacks by other hackers combined (see illustration below). In total, the grouping attempted to hack over 900,000 websites.
Now Wordfence experts believe that both campaigns are the work of the same hacker group, which is simply trying different approaches.