When Vulnerable Sites Go Bad: Hijacked Websites Found Serving Ransomware
On July 19th, a wave of business websites was hijacked to deliver ransomware to anyone who visits their site. According to reports, Dunlop Adhesives, the official tourism site for Guatemala, and other legitimate websites were among those that were impacted.
The sites were said to have been exploited by a botnet called SoakSoak, or a similar automated attack that searches for vulnerable or unpatched content management systems (CMS). The affected sites were observed redirecting visitors to a malicious website that attempts to install CryptXXX, a ransomware family first discovered in April 2016 that features anti-VM and anti-analysis functions that allow it to evade detection.
The SoakSoak botnet identifies a vulnerable website by adding redirection scripts that sends visitors to an alternate site that hosts the Neutrino exploit kit, a “commercial” malware-dropping tool sold in the underground black market.
In this recent incident, the Neutrino exploit kit checks if the endpoint is using any security software, or a Flash Player debugging utility. According to the blog post, if those programs are not found on the victim, the command shell is opened and the Windows utility of the Windows Script Host is accessed to download the ransomware payload from a command and control (C&C) server.
When Good Sites Go Bad
The routine isn't new. Attackers have been compromising websites using malvertising campaigns, and many other techniques to direct users to exploit kits. Compromised sites victimize users by redirecting them towards another site that contains the exploit kit code. In most cases, these sites were easily compromised because of the unpatched or vulnerable CMS software used for these servers. In November 2015, Trend Micro reported the first ElTest campaign that delivered ransomware to visitors of compromised websites using the Angler exploit kit. Based on findings, the campaign managed to take over more than 1,500 websites, and similarly used them to distribute Cryptesla ransomware (detected as RANSOM_CRYPTESLA.YYSIX). The ElTest campaign usually added a SWF object to pages on the compromised website, which loads another Flash file to inject a hidden iFrame that led users to exploit kits.
ElTest was not the only campaign that targeted vulnerable websites. Other campaigns targeted sites that run popular content management systems like WordPress, Joomla, and Drupal. The affected sites were running unpatched and vulnerable versions of these systems, or widely-used third party add-ons.
Vulnerable Content Management Systems: Easy Targets
Content management systems have remarkably evolved over the past years. Current CMS platforms offer a feature-rich and intuitive interface that individual users and businesses can use to publish their digital content. Businesses are adopting CMS platforms to take advantage of the convenience these publishing systems provide, especially when addressing the need to make quick changes to their web content, support multiple users working collaboratively, and customize content for their visitors.
Unfortunately, the vast amount of third-party components such as plugins, themes, and custom add-ons can make their CMS platforms highly susceptible to security flaws and cyber-attacks. The combination of these factors allows attackers to target websites and compromise them with relatively low effort, while potentially affecting a large number of the site's users. Cybercriminals also leverage the affected website's popularity to get quick returns by targeting and exploiting unpatched or vulnerable components of their CMS-run websites, as seen in this recent incident.
Reducing the RisksTo protect against attacks, it is recommended that site administrators upgrade to the latest versions of WordPress and other content management systems to make sure that they’re safe from known vulnerabilities. This can usually be done via the WordPress dashboard. Trend Micro Deep Security offers anti-malware solution with web reputation, network security that includes intrusion detection and protection (IDS/IPS) to shield unpatched vulnerabilities, as well as a firewall to provide a customizable perimeter around each server. It also provides system security, including file and system integrity monitoring for compliance, as well as log inspection to identify and report important security events. To protect endpoints, Trend Micro Vulnerability Protection blocks known and unknown vulnerability exploits before patches are deployed, blocks all known exploits with intrusion prevention signatures, protects endpoints with minimal impact on network throughput, performance, or user productivity, and shields operating systems and common applications known and unknown attacks.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report