Massive Balada Injector campaign attacking WordPress sites since 2017

An estimated one million WordPress websites have been compromised during a long-lasting campaign that exploits “all known and recently discovered theme and plugin vulnerabilities” to inject a Linux backdoor that researchers named Balad Injector.

The campaign has been running since 2017 and aims mostly to redirect to fake tech support pages, fraudulent lottery wins, and push notification scams.

According to website security company Sucuri, the Balad Injector campaign is the same one that Dr. Web reported in December 2022 to leverage known flaws in several plugins and themes to plant a backdoor.

Long-running campaign

Sucuri reports that Balada Injector attacks in waves occurring once a month or so, each using a freshly registered domain name to evade blocking lists.

Usually, the malware exploits newly disclosed vulnerabilities and develops custom attack routines around the flaw it targets.

Targeted add-ons from a specific infection wave
Targeted add-ons from a specific infection wave (Sucuri)

Injection methods observed by Sucuri all this time include siteurl hacks, HTML injections, database injections, and arbitrary file injections.

This plethora of attack vectors has also created duplicate site infections, with subsequent waves targeting already compromised sites. Sucuri highlights a case of a site that was attacked 311 times with 11 distinct versions of Balada.

This plethora of attack vectors has also created duplicate site infections, with subsequent waves targeting already compromised sites. Sucuri highlights a case of a site that was attacked 311 times with 11 distinct versions of Balada.

Typical Balada injection
Typical Balada injection (Sucuri)

Post-infection activity

Balada’s scripts focus on exfiltrating sensitive information like database credentials from wp-config.php files, so even if the site owner clears an infection and patches their add-ons, the threat actor maintains their access.

The campaign also seeks backup archives and databases, access logs, debug info, and files that might contain sensitive information. Sucuri says the threat actor frequently refreshes the list of targeted files.

Moreover, the malware looks for the presence of database administration tools like Adminer and phpMyAdmin. If these tools are vulnerable or misconfigured, they could be used to create new admin users, extract information from the site, or to inject persistent malware onto the database.

If these straight breach pathways are unavailable, the attackers turn to brute-forcing the admin password by trying out a set of 74 credentials.

Balada backdoors

The Balada Injector plants multiple backdoors on compromised WordPress sites for redundancy, which act as hidden access points for the attackers.

Sucuri reports that at some point in 2020, Balada was dropping backdoors to 176 predefined paths, making the complete removal of the backdoor very challenging.

Excerpt of backdoor paths list
Excerpt of backdoor paths list (Sucuri)

Also, the names of the planted backdoors changed in each campaign wave to make detections and removals harder for website owners.

The researchers say that Balada injectors are not present on every compromised site since a number that large of clients would be a tough challenge to manage. They believe that the hackers uploaded the malware on websites “hosted on a private or virtual private servers that shows signs of not being properly managed or neglected.”

From there, the injectors scan for websites that share the same server account and file permissions and search them for writable directories, starting from higher-privileged directories, to perform cross-site infections.

This approach allows the threat actors to easily compromise several sites at one go and quickly spread their backdoors while having to manage a minimal number of injectors.

Moreover, cross-site infections enable the attackers to re-infect cleaned-up sites repeatedly, as long as access to the VPS is maintained.

Sucuri notes that defending against Balada Injector attacks may differ from one case to another and that there is no one specific set of instructions admins can follow to keep the threat at bay, due to the wide variety of infection vectors.

However, Sucuri’s general WordPress malware cleanup guides should be enough to block most of the attempts.

Keeping all the website software updated, using strong, unique passwords, implementing two-factor authentication, and adding file integrity systems should work well enough to protect sites from compromise.

Source: https://www.bleepingcomputer.com/news/security/massive-balada-injector-campaign-attacking-wordpress-sites-since-2017/

Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign

The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version 2.10.2, offers unauthenticated attackers the ability to add malicious JavaScript to a website, potentially allowing redirects to malvertizing sites as well as the creation of malicious admin users, both of which are appealing use cases for attackers.

All Wordfence sites are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection. Note that since this vulnerability did not require a separate firewall rule, statistics for it are not currently publicly available on Wordfence Intelligence as they are aggregated under the general Cross-Site Scripting chart, where it currently accounts roughly over two-thirds of all attacks blocked by the rule.

According to WordFence records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that they have seen. WordFence has blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.

It is believed that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=" and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.

Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/05/wordfence-firewall-blocks-bizarre-large-scale-xss-campaign

WordPress 6.2.2 Security Release

The 6.2.2 minor release addresses 1 bug and 1 security issue. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.9 have also been updated.

WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1. The next major release will be version 6.3 planned for August 2023.

The update process will begin automatically if you have sites that support automatic background updates.

You can download WordPress 6.2.2 from WordPress.org or visit your WordPress Dashboard, click “Updates,” and click “Update Now.”

Full info: https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/

W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin

The Wordfence Threat Intelligence team identified a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

All WordFence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

The developer released a patch on May 1, 2023. We would like to commend the W3 Eden development team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Download Manager, version 3.2.71 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/05/w3-eden-addresses-authenticated-stored-xss-vulnerability-in-download-manager-wordpress-plugin

Vulnerability in WordPress Google Analytics Plugin Hits +3 Million Websites

MonsterInsights Google Analytics WordPress plugin XSS vulnerability affects up to +3 million websites.

The National Vulnerability Database announced that a popular Google Analytics WordPress plugin installed in over 3 million was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability.

Stored XSS

A Cross-Site Scripting (XSS) attack generally occurs when a part of the website that accepts user input is insecure and allows unanticipated input, like scripts or links.

The XSS vulnerability can be leveraged to obtain unauthorized access to a website and can lead to user data theft or a full site takeover.

The non-profit Open Worldwide Application Security Project (OWASP) describes how the XSS vulnerability works:

“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script.

Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.”

A stored XSS, which is arguably worse, is one in which the malicious script is stored on the website servers itself.

The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was discovered to have the stored XSS version of the vulnerability.

MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability

The MonsterInsights Google Analytics plugin is installed in over three million websites, which makes this vulnerability more concerning.

WordPress Security company, Patchstack, which discovered the vulnerability, published details:

“Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Google Analytics by MonsterInsights Plugin.

This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.

This vulnerability has been fixed in version 8.14.1.”

The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was discovered to have the stored XSS version of the vulnerability.
MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability
The MonsterInsights Google Analytics plugin is installed in over three million websites, which makes this vulnerability more concerning.
WordPress Security company, Patchstack, which discovered the vulnerability, published details:
“Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Google Analytics by MonsterInsights Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has been fixed in version 8.14.1.”

Recommended Action

Patchstack recommends that all users of the MonsterInsights Analytics Plugin update their WordPress plugin immediately to the latest version or at least version 8.14.1.

Read the U.S. National Vulnerability Database announcement:

CVE-2023-23999 Detail

Read Patchstack’s announcement:

WordPress Google Analytics by MonsterInsights Plugin <= 8.14.0 is vulnerable to Cross Site Scripting (XSS)

As published in https://www.searchenginejournal.com/monsterinsights-wordpress-plugin-vulnerability/487510/

PSA: Attackers Actively Exploiting Critical Vulnerability in Essential Addons for Elementor

On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.

Over the past few days the folks at WordFence have seen millions of probing attempts for the plugin’s readme.txt file, which are likely to be attackers probing for the presence of the plugin to build a target site exploit list, along with over 6,900 blocked exploit attempts. Our attack data is limited due to the fact that the rule only triggers if the plugin is installed on a site with a vulnerable version, but a programmatic exploit was made public on Github on May 14th. This is the type of vulnerability that tends to see widespread attacks due to a combination of a large install base, ease of exploitation, and severity of impact, and we anticipate that exploit attempts will only ramp up from here.

Considering how easily this vulnerability can be successfully exploited, we highly recommend all users of the plugin update ASAP to ensure their site is not compromised by this vulnerability.

The vulnerability patched in Essential Addons for Elementor allowed for attackers to reset passwords for arbitrary accounts on any of the one million WordPress sites running the plugin. This was due to the fact that the reset_password function did not adequately validate a password reset request with a password reset key, so attackers could simply supply a valid username, obtain a valid nonce from the site’s homepage, input random data for the remaining fields, and reset the supplied users password to whatever they chose in one simple request.

WordPress doesn’t consider usernames to be sensitive information which means attackers can easily enumerate a site looking for valid usernames. Additionally, site owners often forget to change the default username making it possible for attackers to use common default usernames such as ‘admin.’ This makes it much easier for attackers to uncover valid accounts that they can compromise in order to elevate their privileges on the site. Once the attacker is logged in as an administrator, they have free rein to perform actions like installing plugins and backdoors to further infect the site, server, and any unsuspecting visitors.

Source and more details: https://www.wordfence.com/blog/2023/05/psa-attackers-actively-exploiting-critical-vulnerability-in-essential-addons-for-elementor

See also: Vulnerability in Essential Addons for Elementor Leads to Mass Infection (sucuri.net)

WordPress Core 6.2.1 Security & Maintenance Release – What You Need to Know

On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium Severity Directory Traversal vulnerability, a Medium-Severity Cross-Site Scripting vulnerability, and several lower-severity vulnerabilities.

These patches have been backported to every version of WordPress since 4.1. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.

If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.


Vulnerability Analysis

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. This vulnerability would not be easy to exploit in an impactful manner on most configurations.

WordPress Core is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the ‘wp_ajax_set_attachment_thumbnail’ AJAX function in versions up to, and including, 6.2. This allows unauthenticated users to update the thumbnail image associated with existing attachments, granted they can trick an authenticated user with appropriate permissions into performing an action, such as clicking a link. The impact of this vulnerability is incredibly minimal and we do not expect to see any exploitation of this weakness.

WordPress Core is vulnerable to stored Cross-Site Scripting in versions up to, and including, 6.2, due to insufficient validation of the protocol in the response when processing oEmbed discovery. This makes it possible for authenticated attackers with contributor-level and above permissions to use a crafted oEmbed payload at a remote URL to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress Core fails to sufficiently sanitize block attributes in versions up to, and including, 6.2. This makes it possible for authenticated attackers with contributor-level and above permissions to embed arbitrary content in HTML comments on the page, though Cross-Site scripting may be possible when combined with an additional vulnerability. Please note that this would only affect sites utilizing a block editor compatible theme.

WordPress Core processes shortcodes in user-generated content on block themes in versions up to, and including, 6.2. This could allow unauthenticated attackers to execute shortcodes via submitting comments or other content, allowing them to exploit vulnerabilities that typically require Subscriber or Contributor-level permissions. While this is likely to have minimal impact on its own, it can significantly increase the severity and exploitability of other vulnerabilities.

Conclusion

In today’s article, we covered five vulnerabilities patched in the WordPress 6.2.1 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours.

The Wordfence firewall’s built-in directory traversal protection should block attempts to exploit the directory traversal vulnerability, and it would typically only be impactful when exploited by a skilled attacker in certain configurations. Most of the other issues fixed today are similar in that they require specific configurations or circumstances, such as other vulnerable plugins, to impactfully exploit.

However, we urge all site owners to verify that WordPress is updated as soon as possible since it is not practical to deploy a firewall rule that protects against the oEmbed issue and as such any site with untrusted contributor-level users may be at risk.

As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 4.1, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.

Source and more details: https://www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know

New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets

Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer.

“The Atomic macOS Stealer can steal various types of information from the victim’s machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,” Cyble researchers said in a technical report.

Among other features include its ability to extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors who purchase the stealer from its developers are also provided a ready-to-use web panel for managing the victims.

The malware takes the form of an unsigned disk image file (Setup.dmg) that, when executed, urges the victim to enter their system password on a bogus prompt to escalate privileges and carry out its malicious activities — a technique also adopted by MacStealer.

The initial intrusion vector used to deliver the malware is immediately not clear, although it’s possible that users are manipulated into downloading and executing it under the guise of legitimate software.

The Atomic stealer artifact, submitted to VirusTotal on April 24, 2023, also bears the name “Notion-7.0.6.dmg,” suggesting that it’s being propagated as the popular note-taking app. Other samples unearthed by the MalwareHunterTeam have been distributed as “Photoshop CC 2023.dmg” and “Tor Browser.dmg.”

“Malware such as the Atomic macOS Stealer could be installed by exploiting vulnerabilities or hosting on phishing websites,” Cyble noted.

Atomic then proceeds to harvest system metadata, files, iCloud Keychain, as well as information stored in web browsers (e.g., passwords, autofill, cookies, credit card data) and crypto wallet extensions, all of which are compressed into a ZIP archive and sent to a remote server. The ZIP file of the compiled information is then sent to pre-configured Telegram channels.

The development is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware, making it imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via emails or SMS messages.

Second Variant of Atomic Stealer Found

SentinelOne, in a follow-up analysis published earlier this week, disclosed details of a previously unreported second variant of Atomic Stealer and the use of Google Ads as a distribution vector for the malware.

The new version masquerades as a game installer and incorporates a “larger number of functions focusing on Firefox and Chromium browsers” but at the same time leverages game-related lures to target cryptocurrency users.

Additionally, the presence of grammatical and spelling errors is an indication that the developer’s first language is likely not English. The identity of the threat actor behind Atomic Stealer is currently unknown.

Another significant trait of Atomic Stealer is its lack of persistence mechanism due to a macOS Ventura feature that alerts users when new apps or services are added to the list of “login items” that are automatically executed when the device starts. Instead, it opts to steal as much information as possible in what’s a smash-and-grab attack.

“Infostealers targeted at Mac users have become increasingly viable for threat actors now that Macs have reached widespread use in organizations, both for work and personal use,” SentinelOne researcher Phil Stokes said.

“As many Mac devices lack good external security tools that can provide both visibility and protection, there is plenty of opportunity for threat actors to develop and market tools to aid cybercriminals.”

Norton LifeLock says thousands of customer accounts breached

Thousands of Norton LifeLock customers had their accounts compromised in recent weeks, potentially allowing criminal hackers access to customer password managers, the company revealed in a recent data breach notice.

In a notice to customers, Gen Digital, the parent company of Norton LifeLock, said that the likely culprit was a credential stuffing attack — where previously exposed or breached credentials are used to break into accounts on different sites and services that share the same passwords — rather than a compromise of its systems. It’s why two-factor authentication, which Norton LifeLock offers, is recommended, as it blocks attackers from accessing someone’s account with just their password.

The company said it found that the intruders had compromised accounts as far back as December 1, close to two weeks before its systems detected a “large volume” of failed logins to customer accounts on December 12.

“In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address,” the data breach notice said. The notice was sent to customers that it believes use its password manager feature, because the company cannot rule out that the intruders also accessed customers’ saved passwords.

Gen Digital said it sent notices to about 6,450 customers whose accounts were compromised.

Norton LifeLock provides identity protection and cybersecurity services. It’s the latest incident involving the theft of customer passwords of late. Earlier this year, password manager giant LastPass confirmed a data breach in which intruders compromised its cloud storage and stole millions of customers’ encrypted password vaults. In 2021, the company behind a popular enterprise password manager called Passwordstate was hacked to push a tainted software update to its customers, allowing the cybercriminals to steal customers’ passwords.

That said, password managers are still widely recommended by security professionals for generating and storing unique passwords, so long as the appropriate precautions and protections are put in place to limit the fallout in the event of a compromise.

Source and more details: Norton LifeLock says thousands of customer accounts breached | TechCrunch

Popular password managers auto-filled credentials on untrusted websites

Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn.

The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications – Dashlane, Bitwarden, and the built-in password manager bundled with Apple’s Safari browser – of the vulnerabilities.

Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. The status of any fix for Apple’s Safari built-in password manager remains unconfirmed at the time of writing. The Daily Swig has asked Apple to comment and we’ll update this story as and when more information comes to hand.

The security shortcomings outlined by Google mean that the vulnerable password managers auto-fill credentials into untrusted pages, without first requiring users to enter their master password.

An advisory from Google explains that the issue arises in two scenarios: where web pages have a CSP (content security policy) sandbox response header or where forms are inside a sandboxed iframe.

Auto-filling by password managers should not happen in either scenario but the affected applications all fail in this regard when encountering sandboxed content. Other password managers (including LastPass, 1Password, and Google Chrome’s password vault technology) avoid this mistake, said Google.

“Password managers should check whether content is sandboxed before auto-filling credentials. This can be done in many ways, but one way is to check self.origin of a page and refusing to fill in credentials if self.origin is ‘null’,” according to the Google advisory.

Real world impact

In response to a query from The Daily Swig, Bitwarden confirmed that the issue had been resolved through a recent pull request. Dashlane told The Daily Swig that it had also updated its technology even though it remains unconvinced there was ever a substantive problem in play.

We never submit or propose credentials for a domain when it has not been saved by the user previously – so in that specific use case, we don’t see a concrete attack scenario that would lead to credential stealing.

The findings published by Google’s security team have been helpful in improving the way we communicate with our customers in autofill scenarios.

We always welcome collaborating with security researchers to identify threats and potential attacks so that we can evolve our security architecture and keep offering the highest level of protection to our users.

Google is yet to respond to a request from The Daily Swig to respond to Dashlane’s comments on its research findings.

Source and more details: Popular password managers auto-filled credentials on untrusted websites | The Daily Swig (portswigger.net)