A wide-ranging campaign to inject malicious code into WordPress-run websites has been ongoing for at least five years.

a picture of a laptop with the WordPress logo
Source: Monticello via Shutterstock

At least 1 million websites that run on WordPress have been infected by a campaign that uses rafts of WordPress plug-in and theme vulnerabilities to inject malicious code into sites, including a hefty number of zero-days.

According to research from Sucuri, the campaign, which the firm dubbed "Balada Injector," is not only prolific but also Methuselah-like in its longevity, slamming victim sites with malware since at least 2017. Once injected into the site, the bad code redirects website visitors to a panoply of scam sites, including fake tech support, fraudulent lottery wins, and push notifications asking for Captcha solutions.

Behind the scenes, though, injected scripts search for various files that could contain any sensitive or potentially useful information, such as access log files, error logs, files with debug information, database administration tools, administrator credentials, and more. They also load backdoors into the sites for persistent access and in some cases, site takeover.

While the 1 million stat is the number of sites collectively infected in the last five years, researchers only recently tied all of the activity into one operation. Going forward, the campaign shows no signs of slowing down.

"In 2022 alone, our external website scanner SiteCheck detected this malware over 141,000 times, with more than 67% of websites with blocklisted resources loading scripts from known Balada Injector domains," Sucuri researchers noted in a blog post.

A Focus on WordPress Plug-in & Theme Vulnerabilities

The Balada Injector campaign has a few instantly recognizable hallmarks that allowed Sucuri researchers to bring all of the observed activity under one attribution umbrella. These include uploading and leaving multiple backdoors throughout the compromised environment; using a rotating roster of domain names where malicious scripts are hosted on random subdomains; and the spammy redirects.

But perhaps most notably, the operators of Balada Injector make very good use of security vulnerabilities in WordPress plug-ins and themes. These types of modular add-ons to the main WordPress content management system (CMS) allow site admins to add various kinds of functionality, such as polling capability, message board support, or click-to-call integration for e-commerce outfits.

"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible," according to the Sucuri analysis. "This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes undisclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures."

In fact, this bug-centric strategy dictates the cadence of the attacks — Sucuri has been tracking fresh waves of activity occurring every couple of weeks, with lulls in between that are "probably utilized for gathering and testing newly reported and zero-day vulnerabilities."

Further, older vulnerabilities are part of the mix as well, with some remaining in use by the campaign for months and years after being patched.

Targeting the WordPress Ecosystem

The WordPress landscape is a popular target for cybercriminals of all stripes, helped along by the fact that the plug-in ecosystem is notoriously buggy.

"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today," says Casey Ellis, founder and CTO at the Bugcrowd bug bounty platform. "The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs."

iThemes, a firm that tracks plug-in ecosystem flaws on a weekly basis, tallied 37 newly disclosed and patched plug-in vulnerabilities (and one theme vulnerability) for the week of March 15, affecting more than 6 million WordPress sites. It also counted 27 plug-in vulnerabilities (and three theme vulnerabilities) with no patch available yet. And those significant numbers are not unusual.

In all, iThemes identified a total of 1,425 disclosed WordPress plug-in and theme vulnerabilities in 2022 — and in any given week, 20 to 50 individual plug-ins and themes experienced at least one vulnerability, with a monthly average of 121 individual plug-ins and themes that had at least one vulnerability emerge.

iThemes' report also noted that vulnerable WordPress plug-ins and themes are the No. 1 reason WordPress sites get hacked.

"WordPress definitely needs updating on a regular basis, more so if you have a website that has a lot of plug-ins and third-party code, and this is one of many examples where security ends up being just that little bit too difficult for the average user who's also trying to run a business," Ellis notes.

Protecting Against WordPress Plug-in Insecurity

In order to protect against Balada Injector and other WordPress threats, organizations should first and foremost ensure that all of their website software is up-to-date, remove unused plug-ins and themes, and utilize a Web application firewall.

Mike Parkin, senior technical engineer at Vulcan Cyber, explains that the ability to add plug-ins easily to WordPress from official download stores (much like the mobile app ecosystem) adds to the security issue, so education for the Web team around the dangers of installing unvetted modules is also a must.

"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says.

Even large organizations aren't immune to WordPress security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team," he says. "Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights