Over 17,000 WordPress websites have fallen victim to multiple Balada Injector campaigns that exploit known flaws in premium theme plugins, as per a report by Bleeping Computer.
ADVERTISEMENT
Balada Injecto uses these flaws to sneakily insert a Linux backdoor into websites.
This backdoor redirects visitors to fake tech support pages, phony lottery winnings, and push notification scams, likely part of scams or sold as a service to scammers.
ADVERTISEMENT
Sucuri’s April 2023 report revealed that Balada Injector has been active since 2017, affecting nearly one million WordPress sites.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
The latest campaign targets a specific weakness known as CVE-2023-3169 found in tagDiv Composer, a tool frequently used with popular WordPress themes like Newspaper and Newsmag, putting a substantial number of websites at risk.
ADVERTISEMENT
The attacks began in mid-September when details of the vulnerability were disclosed, allowing threat actors to inject malicious code that leads users to scam websites.
There have been six attack waves, each with unique tactics. Sucuri’s report highlights that thousands of websites have already been affected by this campaign. Signs of this exploitation include odd script injections and hidden codes in the website’s database.
To protect against Balada Injector, update the tagDiv Composer plugin to version 4.2 or higher. Website owners are also strongly advised to promptly update their themes, install security plugins such as Wordfence, and change their passwords.
Additionally, Sucuri offers a free scanner to help identify potential issues. As attackers adapt quickly, website owners must remain vigilant and take proactive security measures to guard against Balada Injector.