This bleeping computer article actually qualifies as a smell test for a sophistocated attack.
If the thing looks legitimate, even the best can get compromised, just like you and I.
There seems to be a legitimate credential checker, we don’t use it here. It got trojanized to the point where security researchers got duped.
Its always a good idea to check those links, I bet the security folk didn’t check those links to see if it came from the source where they got it from.
Even so, attacks are definitely becoming more sophistocated these days.
Here’s the opening section of the article.
A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker.
Researchers at Datadog Security Labs, who spotted the attacks, say that SSH private keys and AWS access keys were also stolen from the compromised systems of hundreds of other victims, believed to include red teamers, penetration testers, security researchers, as well as malicious actors.
The victims were infected using the same second-stage payload pushed via dozens of trojanized GitHub repositories delivering malicious proof-of-concept (PoC) exploits that targeted known security flaws, along with a phishing campaign prompting targets to install a fake kernel upgrade camouflaged as a CPU microcode update.
Here’s what picture smart has to say about the Flow Chart.
The image depicts a flowchart illustrating a cyber threat diagram. It shows the process from phishing emails leading to a website, “opencompiled.org,” and two clusters of trojanized GitHub repositories. These repositories contain malicious npm packages (0xengine/meow and 0xengine/xmlrpc) that drop code onto “Codeberg.” Data from these sources is exfiltrated to Dropbox and file.io. The whole setup describes a method for distributing and extracting malicious code through phishing and repository exploitation.
The fact that GitHub is part of the problem should be nothing surprising to me. I don’t understand why they don’t kill the accounts uploading these things and
390,000 WordPress accounts stolen from hackers in supply chain attack is the article that you need to read if you want to do so.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.