Security News > 2023 > April > Massive Balada Injector campaign attacking WordPress sites since 2017
An estimated one million WordPress websites have been compromised during a long-lasting campaign that exploits "All known and recently discovered theme and plugin vulnerabilities" to inject a Linux backdoor that researchers named Balad Injector.
According to website security company Sucuri, the Balad Injector campaign is the same one that Dr. Web reported in December 2022 to leverage known flaws in several plugins and themes to plant a backdoor.
Sucuri highlights a case of a site that was attacked 311 times with 11 distinct versions of Balada.
The Balada Injector plants multiple backdoors on compromised WordPress sites for redundancy, which act as hidden access points for the attackers.
The researchers say that Balada injectors are not present on every compromised site since a number that large of clients would be a tough challenge to manage.
Cross-site infections enable the attackers to re-infect cleaned-up sites repeatedly, as long as access to the VPS is maintained.