According to a study conducted by Sucuri, the campaign, which it named "Balada Injector," is prolific and Methuselah-like in its endurance, infecting victim sites with malware at least since 2017. After being injected into the page, the malicious code leads users to a variety of scam websites, such as those offering fake tech support, bogus lottery wins, and push notifications requesting Captcha solutions.
However, behind the scenes, injected scripts look for numerous files, including access logs, error logs, debug information files, database management tools, administrator credentials, and more, that might include any sensitive or potentially helpful information. In addition, backdoors are loaded into the websites for enduring access and, occasionally, site takeover.
While the 1 million statistic represents the total number of sites that have been infected over the past five years, researchers only recently linked all the activities into a single operation. The campaign is still going strong and does not appear to be slowing down.
A Focus on WordPress Plug-in & Theme Vulnerabilities
Sucuri researchers were able to link all of the observed activity to the Balada Injector campaign since it has a few easily distinguishable attributes. These include using a rotating roster of domain names where malicious scripts are placed on haphazard subdomains, uploading and leaving numerous backdoors all across the hacked environment, and spammy redirects.
Moreover, the developers of Balada Injector also exploit security flaws in WordPress plug-ins and themes, which is likely most noteworthy. These modular WordPress add-ons enable site administrators to integrate a variety of features, such as polling support, message board assistance, or click-to-call integration for e-commerce businesses.
"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible[…]This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes disclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures," Sucuri analysis explains.
Sucuri has been tracking new waves of activity happening every couple of weeks, with lulls in between that are "probably utilised for gathering and testing newly reported and zero-day vulnerabilities."
Moreover, older vulnerabilities are also included in the mix, with some still in use by the campaign for months or years after being patched.
Targeting the WordPress Ecosystem
Given how the WordPress ecosystem is extremely buggy, it has become a popular target for cybercriminals among any other stripes.
"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today[…]The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs," says Casey Ellis, founder, and CTO at the Bugcrowd bug bounty platform.
Protecting Against WordPress Plug-in Insecurity
To safeguard oneself against Balada Injector and other WordPress threats, companies must first ensure that all of their website software is updated, delete unused plug-ins and themes, and implement a Web application firewall to protect against Balada Injector and other WordPress threats.
According to Mike Parkin, senior technical engineer at Vulcan Cyber, the ease with which plug-ins can be added to WordPress from authorized download stores (much like the ecosystem for mobile apps) adds to the security issue. As a result, education for the Web team regarding the risks of installing unapproved modules is also necessary.
"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says.
Even large organizations are not resistant to WordPress Security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team[…]Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work," he adds.