![]() ![]() The idea is when a blog administrator logs into a website, their browser contains cookies that allow them to do all their administrative tasks without having to authenticate themselves on every new page. However, this never stopped Balada from trying to completely take over the sites with stored XSS vulnerabilities.īalada is long known for injecting malicious scripts that target logged-in site administrators. In this case, the vulnerability doesn’t allow them to easily achieve this goal. ![]() If real admins detect and remove the redirection scripts but allow the fake admin accounts to remain, the threat actor uses its administrative control to add a new set of malicious redirect scripts.īalada Injector hackers always aim for persistent control over compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators. The most common way it does this is by injecting scripts that create accounts with administrator privileges. The Balada threat actor has always attempted to gain persistent control over the websites it compromises. It can be found in the database used by WordPress sites, specifically in the “td_live_css_local_storage” option of the wp_options table. The malicious injection uses obfuscated code to make it hard to detect. While each wave is distinct, all contain a telltale script injected inside of these tags: Advertisement Sucuri has tracked no fewer than six waves of injections that leverage the vulnerability. ![]() The Balada Injector malware campaign performed a series of attacks targeting both the vulnerability in the tagDiv Composer plugin and blog administrators of already infected sites. September was also a very challenging month for thousands of users of the tagDiv Newspaper theme. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites. We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. More than 9,000 of the new infections were the result of injections made possible by exploiting CVE-2023-3169. Last month, Sucuri detected Balada injections on more than 17,000 sites, almost double the number the firm had seen the month before. Sucuri estimates that in the past six years, Balada has compromised more than 1 million sites. Sucuri, the security firm Sinegubko works for, has been tracking the malware campaign since 2017 and has named it Balada. The redirections lead to sites pushing fake tech support, fraudulent lottery wins, and push notification scams, the latter of which trick visitors into subscribing to push notifications by displaying fake captcha dialogs. It was partially fixed in tagDiv Composer version 4.1 and fully patched in 4.2.Īccording to a post authored by security researcher Denis Sinegubko, threat actors are exploiting the vulnerability to inject web scripts that redirect visitors to various scam sites. Discovered by Vietnamese researcher Truoc Phan, the vulnerability carries a severity rating of 7.1 out of a possible 10. Tracked as CVE-2023-3169, the vulnerability is what’s known as a cross-site scripting (XSS) flaw that allows hackers to inject malicious code into webpages. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads. The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |