Balada hacks thousands of WordPress sites through tagDiv plugin vulnerability

Thousands of sites running the WordPress content management system have been hacked by prolific threat actor, Balada, who exploited a vulnerability in a plugin known as tagDiv Composer.

TagDiv is a compulsory requirement for using WordPress themes Newspaper and Newsmag, which have more than 155,000 downloads.

In a post written by security researcher Denis Sinegubko, it said that Balada threat actors are exploiting the vulnerability to inject web scripts that redirect visitors to various scam sites.

These sites are pushing fake tech support, fraudulent lottery wins, and push notification scams, the latter of which trick visitors into subscribing to push notifications by displaying fake captcha dialogs.

According to reports, the vulnerability permits hackers to inject malicious code into webpages, carrying a severity rating of 7.1 out of a possible 10.

Sucuri, the security firm Sinegubko works for, has been tracking the Balada since 2017. In this instance, Balada used obfuscated code to make it hard to detect — which can be found in the database used by WordPress sites.

The firm estimates that in the past six years, Balada has compromised over 1 million sites.

Sinegubko wrote: “We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites.”

The Balada threat actor has always attempted to gain persistent control over the websites it compromises.

The most common way it does this is by injecting scripts that create accounts with administrator privileges. If real admins detect and remove the redirection scripts but allow the fake admin accounts to remain, the threat actor uses its administrative control to add a new set of malicious redirect scripts.

The security company said that anyone administering a site that uses the WordPress themes Newspaper or Newsmag should carefully inspect both their site and event logs for signs of infection using the many indicators of compromise.

In addition to removing any malicious scripts added, it’s also important to check for backdoor code and the addition of any admin accounts.

Commenting on the hack, Chris Hauk, consumer privacy advocate at Pixel Privacy, said: “Unfortunately, plugins and themes are favourite targets of hackers looking to exploit weaknesses in the WordPress ecosystem.

“This flaw was only recently patched in the tagDiv Composer plugin, so there are likely still thousands upon thousands of WordPress sites using the old version of the plugin. WordPress admin should immediately update their plugins and templates to protect against this hack.”

Paul Bischoff, consumer privacy advocate at Comparitech, advised a similar course of action and said that admin need to carefully vet and review plugins and themes before installing them, and stay on top of updates.

“Failing to do so could put your visitors at risk. In this case, the exploit redirects users to scam websites related to tech support, lotteries, and CAPTCHA tests,” said Bishoff.

To read more stories on cyber security click here