WordPress Websites Under Attack by Balada Injector Malware! πŸ”’

Oct 12 2023

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s shining a light on cybercrime brighter than Luton airport carpark πŸ™ˆπŸ™ˆπŸ™ˆ

Today’s hottest cybersecurity news stories:

  • πŸ“° Stop the WordPress! 17k WP sites hacked by β€˜Balada Injector’ πŸ’‰

  • πŸ›‘ CISA and desist: warnings of in-the-wild abuse of Adobe Acrobat Reader πŸ”Ž

  • πŸ‘¨β€πŸ’» Microsoft: Hackers are actively exploiting Atlassian Confluence flaw πŸ“Š

Hackers: Balada bing Balada boom πŸ’€

πŸ”’ WordPress Websites Under Attack by Balada Injector Malware! πŸ”’

In September 2023, a shocking 17,000+ WordPress websites were hacked by the notorious Balada Injector malware, doubling August's numbers! 😱

😨 9,000 sites were infiltrated via a new security flaw (CVE-2023-3169, CVSS 6.1) in the tagDiv Composer plugin, allowing hackers to perform cross-site scripting attacks.

πŸ” This isn't Balada Injector's first rodeo! They've been targeting tagDiv's premium themes for years, with 2017 being a significant hit.

πŸ•΅οΈβ€β™‚οΈ Doctor Web discovered Balada Injector in December 2022, using WordPress plugin vulnerabilities to deploy Linux backdoors. Their goal? Redirect users to fake tech support, lottery scams, and push notification cons. Over a million websites have fallen victim since 2017.

🌊 Attacks occur in waves, with spikes on Tuesdays, often following a weekend launch. The latest wave exploited CVE-2023-3169 to inject malicious scripts, creating backdoors and rogue administrators. 😈

πŸ’₯ The malware evolves rapidly, planting backdoors in error pages, installing plugins, and executing arbitrary PHP code. It even mimics plugin installations, making it one of the most complex attacks!

πŸ”„ The core plugin acts as a backdoor, allowing remote PHP execution. Recent attacks involve randomised code injections, downloading second-stage malware, and transmitting cookies to actor-controlled URLs for JavaScript code.

🦠 Balada Injector is a persistent threat; stay vigilant and update your plugins regularly to protect your WordPress site! πŸ’ͺ

For more security updates, keep following our newsletter! πŸ›‘οΈπŸ‘οΈ

Cybersecurity is more important than ever, and your Mac or PC are no exception. Over time, your Mac or PC can accumulate junk files, malware, and other threats that can slow it down and make it vulnerable to attack.

That's where MacPaw comes in. MacPaw offers a suite of easy-to-use apps that can help you clean, optimize, and secure your Mac. With MacPaw, you can:

  • Remove junk files and malware to free up space and improve performance

  • Protect your privacy by erasing sensitive data

  • Optimize your startup settings to speed up boot times

  • Manage your extensions and apps to keep your Mac or PC running smoothly

Since 2008 MacPaw is trusted by over 30 million users worldwide, and it's the perfect solution for keeping your Mac or PC safe and secure.

Hackers: Hey CISA, CISA, whatever will be Adobe

🚨 Adobe Acrobat Reader Vulnerability Added to CISA's Exploited Vulnerabilities List 🚨

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a serious security concern. They've added an actively exploited vulnerability in Adobe Acrobat Reader to their catalogue. 😱

πŸ” Tracked as CVE-2023-21608 (CVSS score: 7.8), this is a "use-after-free" bug, enabling remote code execution (RCE) with the user's privileges. Adobe released a patch in January 2023, discovered by HackSys researchers Ashfaq Ansari and Krishnakant Patil. πŸ‘

πŸ–₯️ Versions impacted include:

  • Acrobat DC (fixed in 22.003.20310)

  • Acrobat Reader DC (fixed in 22.003.20310)

  • Acrobat 2020 (fixed in 20.005.30436)

  • Acrobat Reader 2020 (fixed in 20.005.30436)

πŸ•΅οΈ Details about exploitation and threat actors are unknown, but a proof-of-concept (PoC) exploit surfaced in January 2023.

🌐 This is the second Adobe Acrobat/Reader vulnerability with in-the-wild exploitation, the first being CVE-2023-26369.

πŸ—“οΈ Federal Civilian Executive Branch (FCEB) agencies must apply patches by October 31, 2023, to protect their networks from potential threats.

Stay safe and update your software! πŸ›‘οΈπŸ–₯️

🎣 Catch of the Day!! 🌊🐟🦞

πŸƒΒ The Motley Fool: β€œFool me once, shame on β€” shame on you. Fool me β€” you can't get fooled again.” Good ol’ George Dubya πŸ˜‚ Let us tell who’s not fooling around though; that’s the CrΓΌe πŸ‘€ at Motley Fool. You’d be a fool (alright, enough already! πŸ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! πŸ› Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets πŸ€‘Β (LINK)

🚡 Wander: Find your happy place. Cue Happy Gilmore flashback πŸŒοΈβ›³πŸŒˆπŸ•ŠοΈ Mmmm Happy Place… πŸ˜‡ So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)

🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts βšΎπŸ‘»πŸΏ (Great movie, to be fair πŸ™ˆ). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty πŸ˜‘). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho πŸ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

Microsoft ups the ante, At long Lassian 😏

🌐 Microsoft Links Critical Flaw in Atlassian Confluence to Nation-State Actor Storm-0062 🌐

In a significant development, Microsoft's threat intelligence team has uncovered a critical vulnerability in Atlassian Confluence Data Center and Server and linked it to a nation-state actor known as Storm-0062, also identified as DarkShadow or Oro0lxy. This actor has been operating in the wild since September 14, 2023, underscoring the seriousness of this threat. 😱

πŸ”’ The vulnerability in question, labelled CVE-2023-22515, is rated a perfect 10.0 on the CVSS severity scale, signifying its extreme risk. It enables remote attackers to create unauthorised Confluence administrator accounts and gain access to Confluence servers, potentially causing significant harm.

πŸ›‘οΈ To safeguard your systems, it's imperative that you update your Atlassian Confluence to the following versions:

  • 8.3.3 or newer

  • 8.4.3 or newer

  • 8.5.2 (Long Term Support) or later

While the full extent of the attacks remains uncertain, it is evident that this vulnerability was exploited as a zero-day by the threat actor, indicating a high level of sophistication.

πŸ•΅οΈ Oro0lxy is a digital alias associated with Chinese hacker Li Xiaoyu, who was accused by the U.S. Department of Justice in July 2020 of infiltrating numerous companies, including Moderna, a coronavirus vaccine researcher.

πŸ”’ To protect your organisation, act swiftly. Update to the latest Confluence versions and ensure your applications are isolated from the public internet until the fixes are in place. Your cybersecurity is of utmost importance! πŸ›‘οΈ Stay vigilant and stay safe online.

πŸ—žοΈ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ’ŠΒ HealthHack:Β Tech is making it easier than ever to reach your fitness goals, from wearable devices to nutrition apps, this newsletter does the research for you, get all the latest health tech gadgets delivered to your inbox.Β 

  • β‚Ώ Crypto Nutshell: A well written and beautifully designed newsletter giving you the lowdown on crypto and web3, highly recommend if interested to get up to date info on the crypto/web3 market.

  • 🧠 Big Brain: Trending AI news, jobs and tools delivered in 3 minutes per day.

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles