- 7 Tem 2013
- 8,193
- 654
WordPress Security: 1 Million WordPress Sites Hacked via Zero-Day Plug-in Bugs
A campaign (including numerous zero-days) that used multiple WordPress plugin and theme vulnerabilities to inject malicious code into websites has infected at least one million WordPress-sponsored websites.
A study conducted by Sucuri found that the campaign, dubbed "Balada Injector," was prolific and had Methuselah-like persistence, infecting the victim's website with malware since at least 2017. . Once the malicious code is injected into the page, users are directed to various fraudulent her websites such as:
However, behind-the-scenes injected scripts can contain numerous potentially sensitive and potentially useful information, such as access logs, error logs, debug info files, database management tools, administrator credentials, and more. Find the file. In addition, a backdoor is loaded into her website, allowing permanent access and, in some cases, website takeover. The one million statistic represents the total number of infected websites over the last five years, but researchers have only recently linked all activity to one action. The campaign continues to perform well and shows no signs of slowing down.
Focus on vulnerabilities in WordPress plugins and themes
Sucuri researchers were able to link all observed activity to the Balada injector campaign. These include using a rotating list of domain names, placing malicious scripts on random subdomains, uploading and terminating numerous backdoors across hacked environments, and spamming his redirects. .
Additionally, the developers of Balada Injector also exploited vulnerabilities in WordPress plugins and themes, perhaps most notably. These modular WordPress add-ons allow site administrators to integrate various features such as: B. Survey support, message board support, or click-to-call integration for your e-commerce business.
“Vulnerabilities of all kinds in WordPress themes and plugins allow attackers to inject code or gain unauthorized access to your site. […] Balada Injector was always quick with new additions: vulnerabilities were published (sometimes even zero-days), and large waves of infections occurred within hours of vulnerability disclosure. can also occur,” explains Sucuri's analysis.
Sucuri tracks new waves of activity every few weeks, with pauses in between, "likely to be used to collect and test newly reported and zero-day vulnerabilities." .
Additionally, there is a mix of legacy vulnerabilities, some of which have been used in campaigns for months or years after being patched.
Targeting the WordPress Ecosystem
Since the WordPress ecosystem is extremely buggy, it has become a popular target of cybercriminals among all other gangs.
"Depending on how you measure it, in 2023, WordPress will still power 60% of the websites available on the internet today [...] The sheer volume of code associated with it, the level of customization that often comes out. The complexity, prevalence, and lack of consistent security measures and practices of the WordPress plugin ecosystem, said Casey Ellis, founder and CTO of the Bug Bounty platform, on WordPress sites and in general. contributes to attracting cybercriminals as a rich hunting ground for exploitable bugs.
Protection against insecurity of WordPress plugins
To protect against Balada Injector and other WordPress threats, businesses must first ensure that all software on their sites is up to date, remove unused plugins and themes, and Implement a web application firewall to protect against Balada Injector and other WordPress threats.
According to Mike Parkin, Senior Technical Engineer at Vulcan Cyber, the ease of adding plugins to WordPress from licensed download stores (much like the mobile app ecosystem) raises security concerns. . Therefore, it is also necessary to educate the web team about the risks of installing untrusted modules. “There are loads of plug-ins, lots of places to get them, and easy deployment - you have a recipe for easy distribution of malicious plug-ins,” he said.
Even large organizations can't resist WordPress security issues. "There are cases, even in large companies, where a website is developed and maintained by an individual or a small team [...] Often these people have no particular sense of security. security and are more concerned with updating their site than they are by doing so safely Patches go unnoticed Security warnings go unnoticed. New and interesting plug-ins are installed without guaranteeing that they are safe or that they sometimes work,” he added.
A campaign (including numerous zero-days) that used multiple WordPress plugin and theme vulnerabilities to inject malicious code into websites has infected at least one million WordPress-sponsored websites.
A study conducted by Sucuri found that the campaign, dubbed "Balada Injector," was prolific and had Methuselah-like persistence, infecting the victim's website with malware since at least 2017. . Once the malicious code is injected into the page, users are directed to various fraudulent her websites such as:
However, behind-the-scenes injected scripts can contain numerous potentially sensitive and potentially useful information, such as access logs, error logs, debug info files, database management tools, administrator credentials, and more. Find the file. In addition, a backdoor is loaded into her website, allowing permanent access and, in some cases, website takeover. The one million statistic represents the total number of infected websites over the last five years, but researchers have only recently linked all activity to one action. The campaign continues to perform well and shows no signs of slowing down.
Focus on vulnerabilities in WordPress plugins and themes
Sucuri researchers were able to link all observed activity to the Balada injector campaign. These include using a rotating list of domain names, placing malicious scripts on random subdomains, uploading and terminating numerous backdoors across hacked environments, and spamming his redirects. .
Additionally, the developers of Balada Injector also exploited vulnerabilities in WordPress plugins and themes, perhaps most notably. These modular WordPress add-ons allow site administrators to integrate various features such as: B. Survey support, message board support, or click-to-call integration for your e-commerce business.
“Vulnerabilities of all kinds in WordPress themes and plugins allow attackers to inject code or gain unauthorized access to your site. […] Balada Injector was always quick with new additions: vulnerabilities were published (sometimes even zero-days), and large waves of infections occurred within hours of vulnerability disclosure. can also occur,” explains Sucuri's analysis.
Sucuri tracks new waves of activity every few weeks, with pauses in between, "likely to be used to collect and test newly reported and zero-day vulnerabilities." .
Additionally, there is a mix of legacy vulnerabilities, some of which have been used in campaigns for months or years after being patched.
Targeting the WordPress Ecosystem
Since the WordPress ecosystem is extremely buggy, it has become a popular target of cybercriminals among all other gangs.
"Depending on how you measure it, in 2023, WordPress will still power 60% of the websites available on the internet today [...] The sheer volume of code associated with it, the level of customization that often comes out. The complexity, prevalence, and lack of consistent security measures and practices of the WordPress plugin ecosystem, said Casey Ellis, founder and CTO of the Bug Bounty platform, on WordPress sites and in general. contributes to attracting cybercriminals as a rich hunting ground for exploitable bugs.
Protection against insecurity of WordPress plugins
To protect against Balada Injector and other WordPress threats, businesses must first ensure that all software on their sites is up to date, remove unused plugins and themes, and Implement a web application firewall to protect against Balada Injector and other WordPress threats.
According to Mike Parkin, Senior Technical Engineer at Vulcan Cyber, the ease of adding plugins to WordPress from licensed download stores (much like the mobile app ecosystem) raises security concerns. . Therefore, it is also necessary to educate the web team about the risks of installing untrusted modules. “There are loads of plug-ins, lots of places to get them, and easy deployment - you have a recipe for easy distribution of malicious plug-ins,” he said.
Even large organizations can't resist WordPress security issues. "There are cases, even in large companies, where a website is developed and maintained by an individual or a small team [...] Often these people have no particular sense of security. security and are more concerned with updating their site than they are by doing so safely Patches go unnoticed Security warnings go unnoticed. New and interesting plug-ins are installed without guaranteeing that they are safe or that they sometimes work,” he added.
