Over 1 million WordPress websites are believed to be currently infected by a 2017 hacking campaign that is still ongoing.
The threat actor behind this campaign is unknown.
- According
to the researcher that tracked the flaw, the hacking campaign takes
advantage of essentially all WordPress vulnerabilities tracked so far.
- The
campaign uses the Balada Injector, taking advantage of newly registered
domain names that contain malicious scripts and redirecting victims
to various scam websites.
- In its final infection chain stage,
the malware enables hackers to generate fake WordPress admin users,
harvest data stored in the underlying hosts, and leave backdoors that
can serve as long-term access paths.
- Through this method, the hacker group can gain access to multiple websites simply by compromising one of them.
- In addition to malware, this campaign also uses brute force attacks in an attempt to breach passwords.
