Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin.
The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads.
Tracked as CVE-2023-3169, the vulnerability is what’s known as a cross-site scripting (XSS) flaw that allows hackers to inject malicious code into webpages. Discovered by Vietnamese researcher Truoc Phan, the vulnerability carries a severity rating of 7.1 out of a possible 10. It was partially fixed in tagDiv Composer version 4.1 and fully patched in 4.2.
According to a post authored by security researcher Denis Sinegubko, threat actors are exploiting the vulnerability to inject web scripts that redirect visitors to various scam sites. The redirections lead to sites pushing fake tech support, fraudulent lottery wins, and push notification scams, the latter of which trick visitors into subscribing to push notifications by displaying fake captcha dialogs.
Sucuri, the security firm Sinegubko works for, has been tracking the malware campaign since 2017 and has named it Balada. Sucuri estimates that in the past six years, Balada has compromised more than 1 million sites. Last month, Sucuri detected Balada injections on more than 17,000 sites, almost double the number the firm had seen the month before. More than 9,000 of the new infections were the result of injections made possible by exploiting CVE-2023-3169.
Sinegubko wrote:
We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites.
September was also a very challenging month for thousands of users of the tagDiv Newspaper theme. The Balada Injector malware campaign performed a series of attacks targeting both the vulnerability in the tagDiv Composer plugin and blog administrators of already infected sites.
Sucuri has tracked no fewer than six waves of injections that leverage the vulnerability. While each wave is distinct, all contain a telltale script injected inside of these tags:
<style id="tdw-css-placeholder"></style><script>...malicious injection…</script><style></style>
The malicious injection uses obfuscated code to make it hard to detect. It can be found in the database used by WordPress sites, specifically in the “td_live_css_local_storage” option of the wp_options table.
The Balada threat actor has always attempted to gain persistent control over the websites it compromises. The most common way it does this is by injecting scripts that create accounts with administrator privileges. If real admins detect and remove the redirection scripts but allow the fake admin accounts to remain, the threat actor uses its administrative control to add a new set of malicious redirect scripts.
The researcher wrote:
Balada Injector hackers always aim for persistent control over compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators. In this case, the [CVE-2023-3169] vulnerability doesn’t allow them to easily achieve this goal. However, this never stopped Balada from trying to completely take over the sites with stored XSS vulnerabilities.
Balada is long known for injecting malicious scripts that target logged-in site administrators. The idea is when a blog administrator logs into a website, their browser contains cookies that allow them to do all their administrative tasks without having to authenticate themselves on every new page. So, if their browser loads a script that tries to emulate administrator activity, it will be able to do almost anything that can be done via the WordPress admin interface.
Anyone administering a site that uses the WordPress themes Newspaper or Newsmag should carefully inspect both their site and event logs for signs of infection using the many indicators of compromise included in the Sucuri post. As mentioned, the Balada threat actors attempt to gain persistent access to the sites they compromise. In addition to removing any malicious scripts added, it’s also important to check for backdoor code and the addition of any admin accounts.