Attackers Compromised Dozens of News Websites as Part of Ransomware Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


Attackers Compromised Dozens of News Websites as Part of Ransomware Campaign


Malware used to download WastedLocker on target networks was hosted on legit websites belonging to one parent company, Symantec says.



Attackers recently compromised dozens of US newspaper websites belonging to the same parent company and used the sites to distribute malicious code for downloading ransomware on networks belonging to targeted organizations across multiple sectors.
Several major US organizations that were recently found infected with the malware appear to have been initially compromised when their employees visited one of the news websites, Symantec said.
The security vendor last week had reported discovering SocGholish, a JavaScript-based malware masquerading as a software update, on networks belonging to at least 31 major enterprise customers. A Russia-based group called Evil Corp. is using the malware as part of an attack sequence to download a new ransomware strain called
WastedLocker
on target networks, Symantec had noted. 
Among the Symantec customers impacted in the campaign are 11 publicly listed organizations, including eight in the Fortune 500 list. A plurality of the victims are in the manufacturing sector, though organizations from other industries were hit as well, including financial services, healthcare, energy, and transportation. In each case, the attacks were detected and stopped before the ransomware deployed.
Had the attacks succeeded, the victims would have likely lost millions of dollars in downtime and damages. The attacks could also have had a cascading effect on the US supply chain, Symantec said. The end goal of these attacks is to cripple the victims IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion-dollar ransom, the vendor said in its 
report
last week.
Evil Corp. is a well-known threat actor believed responsible for attacks — including those associated with Dridex and Zeus ransomware samples — that have cumulatively cost victims hundreds of millions of dollars in damages. A US federal court last year indicted two members of the gang on charges related to their long-standing criminal campaigns. Both remain at large — one of them with a $5 million US reward on his head.
In its
initial report
(updated this week), Symantec said its researchers had discovered at least 150 legitimate but previously hacked websites that were being used to host SocGholish and to download it on systems belonging to visitors to these sites.
According to the vendor, its continuing investigation of the campaign showed dozens of the compromised websites were actually news sites belonging to one parent company. Symantec notified the organization of the issue, and the malicious code has since been removed. The fact that as many as 31 of Symantecs enterprise customers were targeted in the attacks suggests that Evil Corp.s overall WastedLocker campaign is very broad in scope, Symantec noted.
The NCC Group, which has also been tracking the WastedLocker campaign, has described it as targeted and beginning in May 2020. According to researchers from both Symantec and NCC Group, the attackers from Evil Corp. have been using a combination of custom tools and legitimate processes and services to deploy the ransomware to communicate with command-and-control servers and to move laterally on infected networks.
The tools being used in the campaign include PowerShell scripts, the PsExec Windows Sysinternals tool, and the Windows Management Instrumentation Command Line Utility (wmic dot exe), which is being used to disable real-time monitoring and scanning of downloaded files. In many of the attacks, the threat actors have attempted to disable Windows Defender and associated services before deploying the ransomware.
Related Content:
Major US Companies Targeted in New Ransomware Campaign
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Ransomware Situation Goes From Bad to Worse
7 Secure Remote Access Services for Todays Enterprise Needs
How Cybersecurity Incident Response Programs Work (and Why Some Dont)
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really bad day in cybersecurity. Click for 
more information and to register
 for this On-Demand event. 
 

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attackers Compromised Dozens of News Websites as Part of Ransomware Campaign