October 11, 2023 at 08:54AM
Over 17,000 WordPress websites were hacked in September 2023, double the number from the previous month. Around 9,000 of these websites were infiltrated using a security flaw in the tagDiv Composer plugin, allowing for cross-site scripting attacks. The Balada Injector malware is responsible for these attacks, which aim to redirect users to fraudulent tech support pages, push notification scams, and fake lottery wins. This is not the first time the Balada Injector gang has targeted vulnerabilities in tagDiv’s premium themes.
Key Takeaways from the Meeting Notes:
1. In September 2023, over 17,000 WordPress websites were compromised by the Balada Injector malware, twice the number detected in August.
2. Approximately 9,000 of the compromised websites were infiltrated using a recently disclosed security flaw (CVE-2023-3169) in the tagDiv Composer plugin, allowing unauthenticated users to perform XSS attacks.
3. The Balada Injector gang has previously targeted vulnerabilities in tagDiv’s premium themes, with a significant attack happening in the summer of 2017.
4. The Balada Injector campaign, discovered in December 2022, exploits various WordPress plugin flaws to install a Linux backdoor on vulnerable systems.
5. The implanted malware aims to redirect users to fraudulent tech support pages, lottery scams, and push notification scams. Over a million websites have been impacted by this campaign since 2017.
6. Attacks involving Balada Injector typically occur in waves, with a surge in infections detected on Tuesdays after a weekend wave.
7. The recent breaches involved the exploitation of CVE-2023-3169, injecting a malicious script to establish persistent access, upload backdoors, add malicious plugins, and create rogue blog administrators.
8. The scripts used in these attacks have historically targeted logged-in WordPress site administrators to perform malicious actions with elevated privileges.
9. The scripts have the capability to plant a backdoor on the websites’ 404 error pages or install a malicious wp-zexit plugin using code embedded into the pages.
10. Newer attack waves observed in late September 2023 involve randomized code injections to download and launch a second-stage malware and install the wp-zexit plugin.
11. Obfuscated scripts are also used to transmit visitors’ cookies and fetch JavaScript code from an actor-controlled URL.
12. Instead of exploiting the tagDiv Composer vulnerability, the attackers in the recent attacks leveraged their existing backdoors and malicious admin users.
13. Follow the organization on Twitter and LinkedIn for more exclusive content.
Please let me know if you need any further information or clarification.