黑客发起大规模攻击窃取39万WordPress凭证 安全研究人员成主要目标
IT之家12月16日消息 - 据BleepingComputer报道,网络安全领域正面临一场持续近一年的大规模黑客攻击行动。威胁行为者MUT-1244通过精心设计的攻击手段,已成功窃取超过39万个WordPress登录凭证。
IT Home December 16 News - According to BleepingComputer, the cybersecurity field is facing a large-scale hacking campaign that has lasted nearly a year. Threat actor MUT-1244 has successfully stolen over 390,000 WordPress login credentials through carefully designed attack methods.
研究人员发现,攻击者使用了一个带有木马的WordPress凭证检查器作为主要攻击工具。值得注意的是,这次攻击的主要目标并非普通用户,而是其他网络攻击者、红队成员、渗透测试专家和安全研究人员。
Researchers discovered that attackers used a trojanized WordPress credential checker as the main attack tool. Notably, the primary targets of this attack were not ordinary users, but other cyber attackers, red team members, penetration testers and security researchers.
多重攻击手段结合
攻击者采用了多种技术手段:
1. 通过数十个木马化的GitHub仓库传播恶意代码
2. 利用已知漏洞发起攻击
3. 发送钓鱼邮件诱骗安装假内核升级
4. 创建虚假GitHub仓库吸引安全研究人员
Multiple Attack Methods Combined
The attackers employed various technical means:
1. Spread malicious code through dozens of trojanized GitHub repositories
2. Launch attacks exploiting known vulnerabilities
3. Send phishing emails to trick users into installing fake kernel updates
4. Create fake GitHub repositories to attract security researchers
Datadog Security Labs研究人员指出:"这些恶意仓库由于命名问题,被Feedly和Vulnmon等合法威胁情报平台自动收录,这大大增加了它们的可信度。"
Datadog Security Labs researchers noted: "These malicious repositories were automatically indexed by legitimate threat intelligence platforms like Feedly and Vulnmon due to naming issues, which significantly increased their credibility."
攻击影响持续扩大
除了WordPress凭证外,攻击者还窃取了:
• SSH私钥
• AWS访问密钥
• 其他敏感信息
Attack Impact Continues to Expand
In addition to WordPress credentials, attackers also stole:
• SSH private keys
• AWS access keys
• Other sensitive information
据估计,目前仍有数百个系统处于感染状态,这一攻击活动仍在持续。安全专家建议所有WordPress管理员立即检查系统安全状况,并更改所有关键凭证。
It is estimated that hundreds of systems remain infected, and this attack campaign is still ongoing. Security experts recommend all WordPress administrators immediately check their system security status and change all critical credentials.
