In a concerning surge of cyber threats, over 17,000 WordPress websites fell victim to the relentless onslaught of Balada Injector attacks last month. Exploiting vulnerabilities in premium theme plugins, multiple Balada Injector campaigns wreaked havoc by compromising and infecting these sites.
First identified in December 2022 by cybersecurity firm Dr. Web, the Balada Injector operation involves the use of various exploits targeting well-known flaws in WordPress plugins and themes. This malicious endeavor installs a Linux backdoor, redirecting visitors to compromised websites to fraudulent tech support pages, fake lottery winnings, and push notification scams. Whether part of larger scam campaigns or sold as a service to cybercriminals, this infiltration represents a significant threat to online security.
Sucuri, a renowned cybersecurity company, revealed that Balada Injector has been active since 2017, estimating that it has infiltrated nearly one million WordPress sites. The recent wave of attacks has specifically targeted the CVE-2023-3169 cross-site scripting (XSS) flaw in tagDiv Composer, a companion tool for tagDiv’s Newspaper and Newsmag themes widely used by thriving online platforms. With an attack surface encompassing 155,500 websites, the assault began in mid-September, immediately following the disclosure of vulnerability details and the release of a proof-of-concept exploit.
This campaign witnessed sophisticated tactics, including the use of malicious plugins like wp-zexit.php, enabling threat actors to remotely send PHP code, redirecting users to scam sites under their control. Despite efforts by tagDiv to address the flaw by recommending theme updates and security plugins, thousands of sites have already been compromised. Sucuri identified six distinct attack waves, characterized by varying techniques and domains, indicating the adaptability and agility of the threat actors.
Sucuri’s report provides critical insights into these attacks, emphasizing the importance of upgrading the tagDiv Composer plugin to version 4.2 or later to mitigate the vulnerability. Website owners are urged to maintain updated themes and plugins, remove dormant user accounts, and conduct regular scans for hidden backdoors. Sucuri offers a free scanner designed to detect most Balada Injector variants, providing an essential tool for WordPress users to safeguard their websites against this pervasive threat. As the cyber landscape evolves, vigilance and proactive security measures remain paramount in defending against these relentless attacks.