在2023年9月,超过17,000个WordPress网站受到了名为Balada Injector的恶意软件的感染,几乎是8月份感染数量的两倍。
Of these, 9,000 of the websites are said to have been infiltrated using a recently disclosed security flaw in the tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1) that could be exploited by unauthenticated users to perform stored cross-site scripting (XSS) attacks.
其中,有9,000个网站据称是通过最近披露的tagDiv Composer插件的安全漏洞(CVE-2023-3169,CVSS评分:6.1)被入侵的,该漏洞可以被未经身份验证的用户利用来执行存储型跨站脚本(XSS)攻击。
"This is not the first time that the Balada Injector gang has targeted vulnerabilities in tagDiv's premium themes," Sucuri security researcher Denis Sinegubko said.
“这并不是Balada Injector团伙首次针对tagDiv的高级主题的漏洞进行攻击,” Sucuri安全研究员Denis Sinegubko说。
"One of the earliest massive malware injections that we could attribute to this campaign took place during the summer of 2017, where disclosed security bugs in Newspaper and Newsmag WordPress themes were actively abused."
“最早的大规模恶意软件注入之一可以追溯到2017年夏季,当时披露的Newspaper和Newsmag WordPress主题的安全漏洞被积极滥用。”
Balada Injector is a large-scale operation first discovered by Doctor Web in December 2022, wherein the threat actors exploit a variety of WordPress plugin flaws to deploy a Linux backdoor on susceptible systems.
Balada Injector是Doctor Web于2022年12月首次发现的大规模行动,威胁行动者利用各种WordPress插件漏洞在易受攻击的系统上部署Linux后门。
The main purpose of the implant is to direct users of the compromised sites to bogus tech support pages, fraudulent lottery wins, and push notification scams. More than a million websites have been impacted by the campaign since 2017.
植入物的主要目的是将受感染网站的用户引导至虚假技术支持页面、欺诈性彩票奖励和推送通知欺诈。自2017年以来,已经有超过一百万个网站受到了这次活动的影响。
Attacks involving Balada Injector play out in the form of recurring activity waves that occur every couple of weeks, with a surge in infections detected on Tuesdays following the start of a wave during the weekend.
涉及Balada Injector的攻击以一连串定期活动波浪的形式发生,每隔几周就会出现一次活动高峰,周末开始后的周二检测到感染数量激增。
The latest set of breaches entails the exploitation of CVE-2023-3169 to inject a malicious script and ultimately establish persistent access over the sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.
最新一系列的侵犯行为涉及利用CVE-2023-3169注入恶意脚本,最终通过上传后门、添加恶意插件和创建恶意博客管理员来建立对这些网站的持久访问。
Historically, these scripts have targeted logged-in WordPress site administrators, as they allow the adversary to perform malicious actions with elevated privileges via the admin interface, including creating new admin users that they can use for follow-on attacks.
从历史上看,这些脚本一直以来都以针对登录的WordPress网站管理员为目标,因为它们允许对方在管理员界面上以提升的权限执行恶意操作,包括创建新的管理员用户,以供后续攻击使用。
The rapidly evolving nature of the scripts is evidenced by their ability to plant a backdoor in the websites' 404 error pages that are capable of executing arbitrary PHP code, or, alternatively, leverage code embedded into the pages to install a malicious wp-zexit plugin in an automated fashion.
脚本的不断演进性质表现在它们能够在网站的404错误页面中植入后门,从而能够执行任意PHP代码,或者利用嵌入到页面中的代码以自动方式安装恶意wp-zexit插件。
Sucuri described it as "one of the most complex types of attacks" performed by the script, given it mimics the entire process of installing a plugin from a ZIP archive file and activating it.
Sucuri将其描述为脚本执行的“最复杂类型之一”,因为它模仿从ZIP档案文件中安装插件的整个过程并将其激活。
The core functionality of the plugin is the same as the backdoor, which is to execute PHP code sent remotely by the threat actors.
插件的核心功能与后门相同,即通过威胁行动者远程发送的PHP代码来执行。
Newer attack waves observed in late September 2023 entail the use of randomized code injections to download and launch a second-stage malware from a remote server to install the wp-zexit plugin.
在2023年9月底观察到的新一轮攻击中,采用随机代码注入来从远程服务器下载和启动第二阶段恶意软件,以安装wp-zexit插件。
Also used are obfuscated scripts that transmit the visitor's cookies to an actor-controlled URL and fetch in return an unspecified JavaScript code.
还使用了经过混淆的脚本,将访客的Cookie传输到由攻击者控制的URL,然后以不明JavaScript代码为返回。
"Their placement in files of the compromised sites clearly show that this time instead of using the tagDiv Composer vulnerability, attackers leveraged their backdoors and malicious admin users that had been planted after successful attacks against website admins," Sinegubko explained.
原文始发于微信公众号(知机安全):Balada Injector:2023年9月恶意软件攻击超17,000个WordPress网站
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论