Crime group hijacks hundreds of U.S. news websites to push malware

Updated on 2022-11-06: Crime group hijacks hundreds of U.S. news websites to push malware

Proofpoint dropped some light details of a mass media compromise in a tweet thread on Wednesday. With more details, @carlypage_ spoke with Proofpoint to learn more. An initial access broker, aka TA569, hacked an unnamed media content provider to deploy malware on hundreds of U.S. news outlet websites; the idea is to trick visitors into installing a fake browser update that eventually delivers malware, usually ransomware (given the links to WastedLocker). It’s a spray-and-pay tactic using the media supply chain to target individuals, rather than the highly targeted efforts by some ransomware gangs by using zero-days and other vulnerabilities to break in. But clearly, it’s having some effect. Read more:

• Crime group hijacks hundreds of US news websites to push malware
• Hundreds of U.S. news sites push malware in supply-chain attack

Updated on 2022-11-04: Scores of US News Sites are Delivering Malware

Numerous news sites across the US are serving up malware, according to Proofpoint Threat Research. The issue appears to be a supply chain attack: the attackers targeted a content and advertising engine that serves videos and advertising via JavaScript to the more than 250 affected news sites.

Note

• This is very similar to an incident in January, that affected realtor websites. A video delivery platform was compromised that affected multiple sites using the service. If applicable, the simplest solution is SRI (Subresource Integrity), which adds hashes to script tags retrieving remote content. But often the “business need” to track users interferes as it requires the JavaScript to change for each user, reducing the applicability of SRI hashes.
• Those ads are obviously a source of revenue for the company sites showing them, so the cost of making sure that are safe and secure should be built into the business decisions to go after advertising revenue – but obviously that is too often not the case. If your company is hosting ads from third party services, this is a good one to use as part of briefing the management and the board.
• So what do you do if your trusted site for media and content is itself compromised? Scanning _YOUR_ content won’t reveal that: you have to look at things from an end-user POV and be prepared to disconnect the inappropriate feed as well as aggressively scan for discovered IOCs. Proofpoint is tracking this attack to an APT they call TA569, which is distributing the SocGholish (aka FakeUpdates) malware, which can lead to follow-up issues, including ransomware. TA569 is also adept at re-infecting remediated services, which means you need to be on your toes if you discover SocGholish.
• Unfortunately most news outlets are 100% dependent upon ad revenue. Some of their “advertisers” are bound to be malicious, and that’s just the water these agencies have to fish in.

Read more in

• More than 250 US news sites inject malware in possible supply chain attack
• Hundreds of U.S. news sites push malware in supply-chain attack
• Over 250 US News Websites Deliver Malware via Supply Chain Attack
• Supply Chain Attack Pushes Out Malware to More than 250 Media Websites

Overview

The TA569 threat actor infected 250 regional and national news sites in the U.S. with the SocGholish (FakeUpdates) malware, in a supply chain attack. Read more: Over 250 US News Websites Deliver Malware via Supply Chain Attack