https://securitylabs.datadoghq.com/articles/mut-1244-targeting-offensive-actors
Over 390,000 WordPress credentials and sensitive data stolen in a large-scale campaign targeting cybersecurity professionals.
A sophisticated cyberespionage campaign spanning over a year has compromised hundreds of systems belonging to security researchers, penetration testers, and potentially even malicious actors. Datadog Security Labs discovered the campaign, which is believed to be carried out by a threat actor tracked as MUT-1244.
Fake Exploits and Phishing Lured Victims
The attackers used a two-pronged approach:
- Trojanized Repositories: They created fake repositories on GitHub containing malicious code disguised as proof-of-concept exploits for known vulnerabilities. Security professionals searching for exploit code unknowingly downloaded and executed the malware.
- Phishing Emails: Phishing emails tricked victims into installing fake kernel updates that were actually malware.
Stolen Data Included SSH Keys and AWS Credentials
The malware targeted valuable data, including:
- WordPress credentials (over 390,000 stolen)
- SSH private keys
- AWS access keys
- Command history
Attackers Exploited Trust Within Security Community
The use of fake repositories on trusted platforms like GitHub allowed the attackers to exploit trust within the cybersecurity community. Additionally, some of the stolen credentials likely belonged to attackers who were using a tool called “yawpp” to validate stolen credentials. This suggests the attackers were targeting both legitimate security professionals and malicious actors.
Hundreds Still at Risk as Campaign Continues
Researchers believe hundreds of systems remain compromised, and the campaign is still ongoing. Security professionals and researchers are advised to be cautious when downloading code from untrusted sources and to be wary of unsolicited emails, even those seemingly related to security updates.