Hundreds of US news sites hacked to send out malware
American news outlets hijacked to deliver SocGholish malware
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Hundreds of news websites across the US have been compromised to deliver malware to their readers, researchers are saying.
Experts from Proofpoint discovered amalwaredistribution campaign that targeted an unnamed media company in the US which owns hundreds of websites belonging to various newspapers.
Allegedly, some of the sites are national, others are from New York, Boston, Chicago, Miami, Washington, D.C., and others.
Fake browser updates
Overall, more than 250 websites owned by the company were hijacked to deliver the SocGholish JavaScript malware framework. These sites deliver their content to the readers via a benign JavaScript code. That code was hijacked to deliver what’s known as “initial access threat”, which pushes drive-by-downloads pretending to be software updates.
In other words, website visitors would be prompted to download fakebrowserupdates delivered as ZIP archives.
“The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,” Sherrod DeGrippo, VP of threat research and detection at Proofpoint, toldBleepingComputer.
“Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners,” Proofpoint said in a Twitter post.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Hackers hijack adult websites to infect victims with malware>Fake Google Chrome update download could steal all your data>Check out the best endpoint protection services right now
“By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish.”
Proofpoint also said that SocGholish can be used to launch stage-two attacks, which could includeransomwareinfections, as well. It seems to be speaking from experience here, as Evil Corp, an infamous Russia-based threat actor, is known for using SocGholish in similar campaigns. It once even tried to deploy its WastedLocker ransomware, but was thwarted by Symantec.
In this particular situation, it seems that the attack is the work of a group tracked as TA569.
“The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation,” the researchers warned.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Rising AI threats are making firms turn back to human intelligence
Thousands of employees could be falling victim to obvious phishing scams every month
How we test vacuum cleaners
