SecurityWeek reports that more than 17,000 WordPress sites, including 9,000 sites vulnerable to the recently addressed TagDiv Composer front-end page builder plugin flaw, tracked as CVE-2023-3169, have been infected as part of the long-running Balada Injector campaign.
Malicious code injected into a certain WordPress database facilitated by the exploitation of the vulnerability enabled site access that was then leveraged by threat actors to deploy plugins and backdoors, as well as create admin accounts that would ensure persistence, a Sucuri report revealed.
"We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites," said Sucuri, which previously noted in April that the Balada Injector campaign has already compromised more than 1 million WordPress sites during the past six years.
Seventy-four percent of codebases had high-risk open source vulnerabilities last year, representing a significant increase over the 48% of those with exploited flaws, proof-of-concept exploits, and remote code execution issues in 2022.
A GitHub Actions workflow could have been used for a command injection vulnerability in Bazel, which had the potential for threat actors to add malicious code into the production environment for projects using the Google open-source product.