Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal. The attacks, which take the form of distributed brute-force attacks, "target WordPress websites from the browsers of completely innocent and unsuspecting site visitors," security researcher Denis Sinegubko said. The activity is part of a previously documented attack wave in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware. The latest iteration is notable for the fact that the injections – found on over 700 sites to date – don't load a drainer but rather use a list of common and leaked passwords to brute-force other WordPress sites. The attack unfolds over five stages, enabling a threat actor to take advantage of already compromised websites to launch distributed brute-force attacks against other potential victim sites – Obtaining a list of target WordPress sites Extracting real usernames of authors that post on those domains Inject the malicious JavaScript code to already infected WordPress sites Launching a distributed brute-force attack on the target sites via the browser when visitors land on the hacked sites Gaining unauthorized access to the target sites "For every password in the list, the visitor's browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted…Read More