An investigation revealed that WordPress, the well-known website builder and content management system, had an estimated 1 million WordPress websites affected by a long-reaching malware campaign dubbed the “Balada Injector.”
WordPress powers about 40% of all websites and contains a massive amount of plugins and themes that can have vulnerabilities that threat actors target with various types of malware.
The perpetrators sought out “all known and recently discovered theme and plugin vulnerabilities” to inject a backdoor into the system which allowed them to take over the respective websites, bypassing common security systems. Once they had control of the website, they’d attempt to phish for valuable data, including databases, debug info, user and employee credentials, and more.
They’d also use the website to employ social engineering scams, which rely on taking advantage of users’ trust they have with a website they frequent in order to steal money from them. These scams involved using fraudulent tech support, push notifications, and fake lottery scams to steal from unsuspecting visitors.
The cybersecurity company, Sucuri, has consistently ranked in the top 3 WordPress malware that they detect and remove from WordPress websites each year since the Balada Injector’s inception in 2017.
Sucuri researchers also released a report that provides extensive coverage of how the injector works, how it spreads, and its cross-site infections, including noting that a line in the code injected in the backdoor can be translated from Russian as “additional shell paths.”
They also provide details on how to remove the Balada Injector from your websites and protect your plugins in the future. If you believe your website has been infected, be sure to read their guides.
Basic security tips involve keeping your plugins and themes up to date, resolving any known vulnerabilities on your website, and regularly scanning it with third-party cybersecurity tools.