Nearly 7K WordPress Sites Compromised by Balada Injector

Nearly 7K WordPress Sites Compromised by Balada Injector

January 17, 2024 at 11:04AM

Over 6,700 WordPress sites were infected with the Balada Injector malware through a vulnerable Popup Builder plug-in, exploiting a cross-site scripting vulnerability (CVE-2023-6000). This long-running campaign has compromised over 1 million WordPress sites. Security experts advise implementing integrity monitoring and conducting routine updates to mitigate these threats.

Based on the meeting notes, the key takeaways are:

1. Over 6,700 WordPress websites have been infected with the Balada Injector malware due to a cross-site scripting vulnerability in the Popup Builder plug-in (CVE-2023-6000).
2. The Balada Injector campaign has been active since 2017, compromising over 1 million WordPress sites. It injects a backdoor to redirect visitors to fake support pages and compromised websites.
3. Threat actors exploited the XSS vulnerability in Popup Builder to inject malicious JavaScript code through the “sgpbWillOpen” event and the “wp-blog-header.php” file.
4. The vulnerable version of Popup Builder, which has over 200,000 installations, poses the risk of more infections.
5. Malicious WordPress plug-ins are difficult to combat as victims often install them without knowledge of vulnerabilities. Prolonged periods without updates leave vulnerabilities unaddressed, allowing threat actors to exploit them.

To mitigate the issue and minimize its risk:
– Implement an integrity monitoring solution to track threat actor activity on websites.
– Keep third-party code involvement to a minimum.
– Perform routine updates on third-party code.

These clear takeaways from the meeting notes will ensure that all relevant information is captured and can be communicated effectively to the concerned parties.

Full Article