Securi Details WordPress Balada Injector Campaign

WordPress vulnerabilities have been in the news lately. Today I am discussing the Balada Injector campaign that has been attacking WordPress’s Elementor Pro plugin for the past six years. Here’s the details from Securi:

The vulnerability allows authenticated users to arbitrarily change wp_options values within the database via the AJAX action of Elementor Pro working in conjunction with WooCommerce.

Since WooCommerce websites allow registration for customer accounts, any website with user registration enabled with the Elementor Pro plugin and WooCommerce installed is liable to be exploited if using the vulnerable version.

The plugin uses the update_option function which is used by WordPress to change database values for website settings, such as allowing shop admins to change some options within their site database. However, this recent vulnerability results from user input not being validated properly and the function does not check whether only high-privileged users are using it.

When both the Elementor Pro and WooCommerce plugins are active (a rather common combination within WordPress websites) this can lead to arbitrary wp_options changes such as:

  • siteurl value
  • default user role
  • user registration

We have also observed multiple users reporting that their administrator user name was changed to after this vulnerability was exploited on their website, as well as new administrator users added using the pattern wpnew_*** within the database.

Now you might have noticed the word “WooCommerce” in the above statement. That’s because you might have heard about another WordPress vulnerability that leverages WooCommerce.

David Maynor, Senior Director of Threat Intelligence, Cybrary has a very detailed comment on this:

   “The most frustrating discussion a security person can have is the talk with sales/marketing where the need for WordPress is brought up. I am a long tome security researcher and I have the opinion that WordPress cannot be made secure.

   “WordPress dates back to 2003 with the goal of replacing the need for developers to make changes to a website.  Things like website themes, plugins that will do almost anything, adapting content to a number of browsers and platforms like mobile devices. WordPress has been institutionalized by pretty much everyone to be the de facto CMS.

   “Because of this overwhelming adoption for critical needs like customer facing web pages an entire developer ecosystem sprouted up around developing themes, tools, and plugins to make WordPress even easier to use. This is the equivalent of building a bad roof on a shaky foundation for a house in an earthquake zone. 

   “If you haven’t worked with sales and marketing departments before you might not be aware of the absolute dominance WordPress has in its market. There are entire tools and marketing platforms based on analyzing and optimizing WordPress content for data collection, targeted advertising, and customer insights.

   “Targeting a market for non-technical people to minimize technical needs leads WordPress users to often know nothing about a system other than the WordPress interface. WordPress is a popular bundled application for site hosting platforms to bundle in with a hosting subscription. The mixture of lack of technical knowledge or not being aware you may have WordPress on your hosted platform combines with PHP development and outdated security practices to make WordPress a perfect target for threat actors to steal data or use a compromised site to trick unsuspecting users into malicious interactions that look legitimate.

   “I say all this to address the questions of why WordPress is a rich target and why it keeps being the target if malicious campaigns. It is low hanging fruit that is trivial to pop. It’s so popular as a target it is often the target newbie hackers start with.

   “So now to Balada. Why is it so large? A mixture of low hanging fruit and exploitable targets that can often be found with Google dorking, and attackers using compromised hosts as currency leads to a long dwell time for attackers on a victim. 

   “This campaign is so large and lengthy due to the attackers taking advantage of many uses of WordPress like targeting specific platforms with specific code or easily hiding backdoors in pirated plugins. This group is the multi-headed hydra of attacks by varying exploits and post compromise activities.

   “In addition to tooling and techniques the rise of encryption everywhere blinds many network based detection tools with the same technology TLS used to make sure a hacker at a coffee shop isn’t sniffing a unsuspecting Wi-Fi users website credentials.

WordPress is a de facto content management solution with an entire ecosystem of developers writing themes, plugins and tools. Often this 3rd party software is the source of compromise.

   “This campaign is large because the attackers have multiple attacks and post compromise tooling that allows them to stay a few steps ahead of WordPress admins.

   “Website owners often go to WordPress because it allows quick and easy content development without the need for a team of coders. These are the users least likely to notice they have been comprised.

   “I don’t think WordPress and its ecosystem can be secured. Popular WordPress security apps often don’t try to stop intrusions but rather focus on cleaning out an attacker by rolling to a previously known good version. If the security experts don’t think they can stop attackers why would anyone else?”

This scares me as I use WordPress for this blog. I’ve spent a lot of time going through the configuration of this blog to assure that it is as secure as possible. Hopefully WordPress can step up and improve security with its product as that combined with individual WordPress users doing all they can to improve security on their end may be the only hope of mitigating these attacks.

Leave a Reply

%d bloggers like this: