Is Someone Trying to Hijack Your Website?

13.10.23 02:50 PM - Comment(s) - By Kyle

Another Wordpress Vulnerability

A lot of websites that use WordPress, a popular website system, got hacked by a bad actor. This person took advantage of a problem in a common add-on called tagDiv Composer. This add-on is needed for two well-liked WordPress themes: Newspaper and Newsmag, which are available through popular marketplaces.


The issue, known as CVE-2023-3169, is a type of problem that lets hackers put harmful code into web pages. A person from Vietnam named Truoc Phan found this issue. It's a pretty serious problem, rated 7.1 out of 10 in terms of seriousness. The creators of tagDiv Composer partially fixed it in version 4.1 and fully fixed it in version 4.2.


The hackers are using this problem to put bad code on websites, which then send visitors to scam sites. These scam sites can trick people into thinking they've won a lottery or need tech support. They also try to get visitors to sign up for push notifications by showing fake "I'm not a robot" messages.


A security company called Sucuri has been keeping an eye on this issue since 2017 and named it "Balada." They think Balada has infected more than a million websites in the past six years. Just last month, they found Balada on over 17,000 sites, which is almost twice as many as the month before. More than 9,000 of these new infections came from the CVE-2023-3169 problem.

Sucuri has tracked no fewer than six waves of injections that leverage the vulnerability. While each wave is distinct, all contain a telltale script injected inside of these tags:

The bad code that's being added to websites is hidden on purpose to make it tough to find. It's like hiding something in a big book. This hidden code can be discovered in the database that WordPress websites use, especially in a part called "td_live_css_local_storage" inside something called the "wp_options table."


The people causing this problem, known as Balada, always try to keep control of the websites they've attacked. They usually do this by adding hidden instructions that create special accounts with a lot of power (like a boss). If the real website owners find and remove the bad hidden instructions that send visitors to bad places but let these special accounts stay, the bad people can use these special accounts to add new hidden instructions that keep causing problems.


The researcher who found this explained it this way:

If you're in charge of a website using the WordPress themes Newspaper or Newsmag, here's what you should do:

1. Look into a new website builder and host like Zoho Sites or Commerce. They do not use plug ins like Wordpress

2. Keep in mind that the people causing trouble (Balada) are trying to keep control of the websites they've messed with. So, as well as getting rid of any bad stuff they've put in, you should also check for hidden ways they might have left to get back in (like secret doors) and look for any super-powerful accounts they've made.

In simple terms, it's like checking your house for signs of a break-in, not just at the front door but also looking for secret ways in and making sure no unauthorized folks have too much power.

Check out our web solutions!

Zoho Sites

Kyle

Share -