Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Balada Injector. Show all posts

Over 17,000 Websites Exploited in Massive Balada Injector Campaign

 

Over 17,000 WordPress websites have been compromised as a result of the notorious Balada Injector attack. The Balada Injector, discovered in 2022 but thought to have been active since 2017, weaponizes vulnerabilities in premium WordPress themes and plugins to install malicious backdoors. 

Following infection, these backdoors redirect website users to fake tech help pages, bogus lottery winnings, fraudulent push notification hoaxes, and other scams. 

With such a wide range of deceptive techniques, experts believe that Balada Injector is either a service offered to other threat actors or a direct component of a scam operation. 

The recent wave of attacks is being blamed on the tagDiv Composer plugin's CVE-2023-3169 cross-site scripting (XSS) vulnerability. This plugin is found on an estimated 155,000 websites with the Newspaper and Newsmag WordPress themes, both premium products, laying the groundwork for possible attacks. 

This effort started in September, following the public disclosure of the vulnerability and the publishing of a proof-of-concept. 

In a recent analysis, website security firm Sucuri exposed the extent of the infiltration, citing specific indications of the attack, such as a malicious script located within separate tags. Sucuri discovered six different attack waves: 

Over 5,000 websites were compromised by malicious script injections from stay.decentralappps[.]com. 

  • Making rogue WordPress administrator accounts with the login "greeceman" at first, then switching to ones that are automatically produced based on website hostnames.
  • By using the WordPress theme editor to make changes to the 404.php file for the Newspaper theme, you can gain persistence covertly.
  • The installation of the deceptive wp-zexit plugin, which emulates authorised WordPress administrator activities. 
  • Three new malicious domains with higher obfuscation were introduced, complicating detection attempts. 
  • Using promsmotion[.]com subdomains instead of the preceding domain, three distinct injection methods were discovered on a total of 235 websites. 

The CVE-2023-3169 vulnerability was used to compromise over 9,000 of the 17,000 compromised sites, demonstrating the attackers' tremendous effectiveness and ability to adapt quickly for maximum impact. 

Webmasters and site owners should immediately upgrade the tagDiv Composer plugin to version 4.2 or later, which addresses the known flaw. Regular upgrades to themes, plugins, and all website components remain critical in protecting against such formidable threats.

WordPress Security: 1 Million WordPress Sites Hacked via Zero-Day Plug-in Bugs


A campaign that utilizes several WordPress plug-ins and theme vulnerabilities to inject malicious code into websites, including a sizable number of zero-days, has infected at least 1 million WordPress-sponsored websites. 

According to a study conducted by Sucuri, the campaign, which it named "Balada Injector," is prolific and Methuselah-like in its endurance, infecting victim sites with malware at least since 2017. After being injected into the page, the malicious code leads users to a variety of scam websites, such as those offering fake tech support, bogus lottery wins, and push notifications requesting Captcha solutions. 

However, behind the scenes, injected scripts look for numerous files, including access logs, error logs, debug information files, database management tools, administrator credentials, and more, that might include any sensitive or potentially helpful information. In addition, backdoors are loaded into the websites for enduring access and, occasionally, site takeover. 

While the 1 million statistic represents the total number of sites that have been infected over the past five years, researchers only recently linked all the activities into a single operation. The campaign is still going strong and does not appear to be slowing down. 

A Focus on WordPress Plug-in & Theme Vulnerabilities 

Sucuri researchers were able to link all of the observed activity to the Balada Injector campaign since it has a few easily distinguishable attributes. These include using a rotating roster of domain names where malicious scripts are placed on haphazard subdomains, uploading and leaving numerous backdoors all across the hacked environment, and spammy redirects. 

Moreover, the developers of Balada Injector also exploit security flaws in WordPress plug-ins and themes, which is likely most noteworthy. These modular WordPress add-ons enable site administrators to integrate a variety of features, such as polling support, message board assistance, or click-to-call integration for e-commerce businesses. 

"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible[…]This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes disclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures," Sucuri analysis explains. 

Sucuri has been tracking new waves of activity happening every couple of weeks, with lulls in between that are "probably utilised for gathering and testing newly reported and zero-day vulnerabilities." 

Moreover, older vulnerabilities are also included in the mix, with some still in use by the campaign for months or years after being patched. 

Targeting the WordPress Ecosystem 

Given how the WordPress ecosystem is extremely buggy, it has become a popular target for cybercriminals among any other stripes. 

"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today[…]The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs," says Casey Ellis, founder, and CTO at the Bugcrowd bug bounty platform. 

Protecting Against WordPress Plug-in Insecurity 

To safeguard oneself against Balada Injector and other WordPress threats, companies must first ensure that all of their website software is updated, delete unused plug-ins and themes, and implement a Web application firewall to protect against Balada Injector and other WordPress threats. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, the ease with which plug-ins can be added to WordPress from authorized download stores (much like the ecosystem for mobile apps) adds to the security issue. As a result, education for the Web team regarding the risks of installing unapproved modules is also necessary. 

"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says. 

Even large organizations are not resistant to WordPress Security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team[…]Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work," he adds.