Notorious Balada Injector campaign has been linked to the compromise of over 17,000 WordPress websites. Balada Injector, discovered in 2022 but believed to have been operational since 2017, weaponizes vulnerabilities in premium WordPress themes and plugins to implant malicious backdoors.
Upon infiltration, these backdoors divert website visitors to counterfeit tech support pages, fake lottery wins, push notification hoaxes and other scams.
With such a range of deceptive tactics, experts postulate that Balada Injector is either a service peddled to other threat actors or a direct component of a scam initiative.
The recent wave of attacks is attributed to the exploitation of the CVE-2023-3169 cross-site scripting (XSS) vulnerability in the tagDiv Composer plugin. With the Newspaper and Newsmag WordPress themes, both premium offerings, this plugin is found on an estimated 155,000 websites, setting a vast stage for potential attacks.
Following the vulnerability's public disclosure and the release of a proof-of-concept, this campaign took off in September.
Website security firm Sucuri revealed the extent of the compromise in a recent report, highlighting specific indicators of the attack, such as a malicious script present within distinct tags.
Sucuri identified six distinct attack waves:
404.php
file via WordPress' theme editor.wp-zexit
plugin that mimics legitimate WordPress administrator actions.Over 9,000 of the 17,000 compromised sites were breached through the CVE-2023-3169 vulnerability, showcasing the attackers' extreme effectiveness and ability to adapt swiftly for maximum impact.
For webmasters and site owners, the best line of defense is to promptly update the tagDiv Composer plugin to version 4.2
or later, which addresses the known flaw. Regular updates to themes, plugins and all website components remain crucial in safeguarding against such formidable threats.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024