In a recent cybersecurity development, over 17,000 WordPress websites fell victim to the nefarious Balada Injector attacks last month. These widespread attacks have raised concerns among website administrators and the cybersecurity community at large.
Balada Injector Emerges
The Balada Injector, a substantial cyber operation first uncovered by Dr. Web in December 2022, has been exploiting known vulnerabilities within premium theme plugins commonly used in WordPress websites. This sophisticated operation has been actively leveraging exploits related to flaws in various WordPress plugins and themes to implant a Linux backdoor.
The primary objective behind this backdoor is to redirect visitors of compromised websites to counterfeit tech support pages, fraudulent lottery claims, and push notification scams, thereby facilitating scam campaigns or potentially providing a service to scammers.
Balada Injector’s Extensive Reach
According to a report by Sucuri in April 2023, Balada Injector has been operational since 2017, with an estimated compromise of nearly one million WordPress websites over the years.
Current Campaign Targets Premium Themes
The latest campaign orchestrated by Balada Injector focuses on exploiting the CVE-2023-3169 cross-site scripting (XSS) vulnerability found in tagDiv Composer. TagDiv Composer is a companion tool for tagDiv’s Newspaper and Newsmag themes, both of which are premium themes for WordPress websites. With Newspaper boasting 137,000 sales and Newsmag with over 18,500, this campaign potentially puts around 155,500 websites at risk, not accounting for pirated copies in circulation.
The latest campaign began in mid-September, shortly after the vulnerability details and a proof-of-concept exploit were disclosed to the public. This campaign gained attention when numerous WordPress site administrators reported infections by a malicious plugin named wp-zexit.php. This plugin allowed threat actors to remotely send PHP code, which would be executed on the compromised sites, alongside the injection of code into website templates redirecting users to scam sites controlled by the attackers.
Countermeasures and Recommendations
In response to these attacks, tagDiv recommended updating the theme to the latest version and advised website owners to install security plugins like Wordfence, as well as change all website passwords.
Sucuri’s recent report sheds light on the severity of the campaign, revealing that thousands of websites have already been compromised. Signs of exploitation of CVE-2023-3169 include malicious script injections within specific tags and obfuscated injections within the website’s database ‘wp_options’ table.
Sucuri identified six distinct attack waves, some with variants, showcasing the adaptability of the threat actors behind Balada Injector. In total, over 17,000 WordPress websites were compromised in September 2023, with a significant portion of these achieved through exploiting CVE-2023-3169.
To safeguard against Balada Injector attacks, website owners are advised to upgrade the tagDiv Composer plugin to version 4.2 or later, which addresses the mentioned vulnerability. Additionally, keeping all themes and plugins up to date, removing dormant user accounts, and scanning files for hidden backdoors are crucial security measures.
Sucuri offers a free-to-access scanner capable of detecting most Balada Injector variants, providing an additional layer of protection for WordPress site owners who wish to assess their site’s vulnerability to these attacks.