A sophisticated threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign. The attack targeted both malicious actors and legitimate researchers using a trojanized WordPress credentials checker. Researchers at Datadog Security Labs discovered the breach.
They revealed that SSH private keys and AWS access keys were also compromised. Victims included red teamers, penetration testers, security researchers, and malicious actors. The second-stage payload was delivered through dozens of trojanized GitHub repositories.
These repositories offered malicious proof-of-concept (PoC) exploits for known security vulnerabilities. A phishing campaign also duped targets into installing a fake kernel upgrade disguised as a CPU microcode update. The payloads were deployed via GitHub repositories using various methods.
These included backdoored configure compilation files, malicious PDF files, Python droppers, and malicious npm packages in project dependencies. This campaign bears similarity to a year-long supply chain attack involving the “hpc20235/yawp” GitHub project.
Mut-1244 breaches cybersecurity community
That project used the “0xengine/xmlrpc” npm package for data theft and cryptocurrency mining. Malware involved in the attacks included a cryptocurrency miner and a backdoor. The backdoor enabled MUT-1244 to collect and exfiltrate private SSH keys, AWS credentials, environment variables, and key directory contents.
The second-stage payload allowed data exfiltration to file-sharing services such as Dropbox and file.io. Hardcoded credentials for these platforms were discovered within the payload. “MUT-1244 was able to gain access to over 390,000 WordPress credentials.
Before these credentials were exfiltrated to Dropbox, they were likely in the hands of offensive actors who acquired them illicitly,” Datadog researchers explained. The attackers exploited trust within the cybersecurity community. They compromised dozens of machines belonging to both white hat and black hat hackers.
The stolen data included SSH keys, AWS access tokens, and command histories. Datadog Security Labs estimates that hundreds of systems remain compromised, with new infections still occurring as part of this ongoing campaign.
