CSC News Table of Contents
Massive Balada Injector Attack Targets WordPress Sites in September 2023: In September 2023, a large-scale cyberattack using the Balada Injector malware compromised over 17,000 WordPress websites, marking a significant increase from the previous month.
This attack utilized a known security vulnerability, exposing the vulnerability of many sites.
This news item delves into the details of this attack and its implications.
Key Takeaways on Massive Balada Injector Attack Targets WordPress Sites in September 2023:
- Widespread Compromises: Over 17,000 WordPress websites fell victim to the Balada Injector attack in September 2023, which exploited security vulnerabilities to gain access to these sites.
- Vulnerable Plugin Exploited: Approximately 9,000 of the compromised websites were infiltrated using a recently disclosed flaw in the tagDiv Composer plugin (CVE-2023-3169). This vulnerability allowed unauthenticated users to execute stored cross-site scripting (XSS) attacks.
- Balada Injector Campaign: Balada Injector is an ongoing large-scale operation discovered in December 2022. It exploits WordPress plugin vulnerabilities to deploy a Linux backdoor on affected systems, ultimately redirecting users to malicious content.
The Balada Injector Attack
In September 2023, more than 17,000 WordPress websites fell victim to a major cyberattack conducted using the Balada Injector malware.
This attack was notable because it represented almost twice the number of compromises compared to the previous month.
Plugin Vulnerability Exploited
Of the compromised websites, around 9,000 were breached by exploiting a recently disclosed security flaw in the tagDiv Composer plugin, identified as CVE-2023-3169 with a CVSS score of 6.1.
This vulnerability enabled unauthorized users to execute stored cross-site scripting (XSS) attacks.
Targeting tagDiv’s Premium Themes
The Balada Injector gang has a history of targeting vulnerabilities in tagDiv’s premium themes.
In a campaign dating back to the summer of 2017, disclosed security flaws in Newspaper and Newsmag WordPress themes were actively exploited.
Balada Injector Campaign Overview
The Balada Injector campaign, first discovered in December 2022, involves threat actors exploiting various WordPress plugin vulnerabilities to deploy a Linux backdoor on vulnerable systems.
The primary objective of this operation is to direct users of compromised websites to fraudulent tech support pages, deceptive lottery scams, and push notification fraud.
The campaign has impacted over a million websites since 2017.
Recurring Attack Waves
The attacks orchestrated by Balada Injector occur in recurring waves that take place every few weeks, with a notable surge in infections detected on Tuesdays following the commencement of a wave during the weekend.
Exploiting Vulnerabilities
The recent breaches involved exploiting CVE-2023-3169, allowing the injection of a malicious script.
Subsequently, this enabled the attackers to establish persistent access to the compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.
Complex Attack Techniques
Balada Injector’s attack scripts have continually evolved. They have shown the ability to plant backdoors in websites’ 404 error pages, enabling the execution of arbitrary PHP code.
Alternatively, these scripts can use embedded code to automatically install a malicious wp-zexit plugin.
This method allows attackers to mimic the entire process of installing a plugin from a ZIP archive file and activating it.
Sophisticated Malware
Newer attack waves, observed in late September 2023, incorporated randomized code injections to download and execute a second-stage malware from a remote server, installing the wp-zexit plugin.
Additionally, obfuscated scripts were employed to transmit visitor cookies to a controlled URL, receiving unspecified JavaScript code in return.
Shift in Attack Methods
In the most recent attacks, threat actors leveraged backdoors and malicious admin users created after successfully targeting website administrators. These methods shifted from exploiting the tagDiv Composer vulnerability.
Conclusion
The massive Balada Injector attack in September 2023 highlights the persistent threat to WordPress websites.
As threat actors adapt their tactics, website administrators and owners must remain vigilant, applying security patches promptly and employing robust security measures to safeguard their sites.
About WordPress: WordPress is a widely-used content management system, while Balada Injector is a notorious malware campaign targeting WordPress vulnerabilities. Sucuri, a security researcher, is among the organizations actively monitoring and reporting on cyber threats to enhance website security.
