WordPress websites have been hit by a malicious campaign called Balada Injector, which leverages all known and recently discovered theme and plugin vulnerabilities. Over one million WordPress websites have been infected since 2017 and the attack plays out in waves every few weeks. The attackers predominantly try to obtain database credentials in the wp-config.php file, as well as search for tools like adminer and phpmyadmin. Additionally, they try to generate fake WordPress admin users, harvest data stored in the underlying hosts, and leave backdoors for persistent access.
A similar malicious JavaScript injection campaign was uncovered by Palo Alto Networks Unit 42, affecting more than 51,000 websites since 2022. This campaign also employs String.fromCharCode as an obfuscation technique and leads victims to booby-trapped pages.
WordPress users are advised to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.
Key Points:
• Over one million WordPress websites have been infected by Balada Injector since 2017.
• The attackers predominantly target the wp-config.php file and search for tools like adminer and phpmyadmin.
• A similar malicious JavaScript injection campaign has been targeting more than 51,000 websites since 2022.
• WordPress users are advised to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.