Guarding the Digital Realm: Balada Injector’s Impact on 17,000+ WordPress Sites

Recently, a source has made shocking revelations regarding cyber-attacks. In September 2023, around 17,000 WordPress websites were hacked by the virus known as Balada Injector which was double the number in comparison to the month of August.

A newly discovered security vulnerability in the tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1) is thought to have been used to compromise 9,000 of these websites, giving unauthorized users the ability to conduct stored cross-site scripting (XSS) attacks.

“This is not the first time that the Balada Injector gang has targeted vulnerabilities in tagDiv’s premium themes,” Sucuri security researcher Denis Sinegubko said.

“One of the earliest massive malware injections that we could attribute to this campaign took place during the summer of 2017, where disclosed security bugs in Newspaper and Newsmag WordPress themes were actively abused.”

Doctor Web first learned about the extensive operation known as Balada Injector in December 2022. Through a number of WordPress plugin vulnerabilities, threat actors use Balada Injector to install a Linux backdoor on vulnerable systems.

The implant’s primary objective is to send visitors to hijacked websites to fake tech assistance pages, lottery winnings that aren’t real, and push notification scams. Since 2017, the campaign has had an influence on over a million web pages. Balada Injector attacks exhibit periodic activity waves that happen every two weeks, with an increase in infections observed on Tuesdays after a wave begins during the weekend.

The most recent round of breaches involves the use of CVE-2023-3169 to insert a malicious script, which is then used to upload backdoors, add malicious plugins, and create rogue blog administrators in order to gain permanent control over the websites.

These scripts have historically targeted WordPress site administrators who are signed in since they provide the adversary enhanced rights to do malicious acts via the admin interface, such as establishing additional admin users for use in subsequent attacks.

The capacity of the scripts to automatically install a malicious wp-exit plugin through code contained in the 404 error pages of the website or create a backdoor in those pages that may execute arbitrary PHP code is indicative of their continuously developing nature.

Sucuri called it “one of the most complex types of attacks” that the script could execute since it imitates every step of installing and activating a plugin from a ZIP archive file. The plugin’s primary purpose, which is to run PHP code that threat actors send remotely, is the same as that of the backdoor.

The use of randomized code injections to download and run a second-stage virus from a remote site in order to install the wp-zexit plugin is a feature of more recent assault waves that were noticed in late September 2023. Obfuscated scripts are also utilized, which send the cookies of any user to a URL controlled by the threat actor and retrieve an arbitrary JavaScript code back.

Also read:

Sony Faces Ransomware Attack: Hackers Claim to Have Breached All Networks

PTA Taxes Portal

Find PTA Taxes on All Phones on a Single Page using the PhoneWorld PTA Taxes Portal

Explore NowFollow us on Google News!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
>