Supply Chain Attack Pushes Out Malware to More than 250 Media Websites

  /     /     /  
Publicated : 23/11/2024   Category : security


Supply Chain Attack Pushes Out Malware to More than 250 Media Websites


TA569 has modified the JavaScript of a legitimate content and advertising engine used by news affiliates, in order to spread the FakeUpdates initial access framework.



The cyber-threat threat actor known as TA569, or SocGholish, has compromised JavaScript code used by a media content provider in order to spread the
FakeUpdates
malware to major media outlets across the US.
According to a
series of tweets
from the Proofpoint Threat Research Team posted late Wednesday, the attackers have tampered with the codebase of an application that the unnamed company uses to serve video and advertising to national and regional newspaper websites. The
supply chain attack
is being used to spread TA569s custom malware, which is typically employed to establish an initial access network for follow-on attacks and ransomware delivery.
Detection might be tricky, the researchers warned: TA569 historically removed and reinstated these malicious JS injects on a rotating basis, according to one of the tweets. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldnt be considered a false positive.
More than 250 regional and national newspaper sites have accessed the malicious JavaScript, with impacted media organizations serving cities such as Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington, DC, according to Proofpoint. However, only the impacted media content company knows the full range of the attack and its impact on affiliate sites, the researchers said.
The tweets cited Proofpoint threat detection analyst
Dusty Miller
, senior security researcher
Kyle Eaton
, and senior threat researcher
Andrew Northern
for the discovery and investigation of the attack.
FakeUpdates is an initial access malware and attack framework in use since at least 2020 (but
potentially earlier
), that in the past has used drive-by downloads masquerading as software updates to propagate. It previously has been linked to activity by the suspected Russian cybercrime group Evil Corp, which has been formally sanctioned by the US government.
The operators typically host a malicious website that executes a drive-by download mechanism — such as JavaScript code injections or URL redirections — which in turn triggers the download of an archive file that contains malware.
Symantec researchers previously observed Evil Corp
using the malware
as part of an attack sequence to download
WastedLocker
, then a new ransomware strain, on target networks back in July 2020.
A surge of drive-by download attacks
that used the framework followed toward the end of that year, with the attackers hosting malicious downloads by leveraging iFrames to serve up compromised websites via a legitimate site.
More recently, researchers tied
a threat campaign
distributing FakeUpdates through existing infections of the Raspberry Robin USB-based worm, a move that signified a link between the Russian cybercriminal group and the worm, which acts as a loader for other malware.
The campaign discovered by Proofpoint is yet another example of attackers using the software supply chain to infect code thats shared across multiple platforms, to broaden the impact of malicious attack without having to work any harder.
Indeed, there already have been numerous examples of the ripple effect these attacks can have, with the now infamous
SolarWinds
and
Log4J
scenarios being among the most prominent.
The former started in late December 2020 with
a breach
in the SolarWinds Orion software and spread
deep into the next year
, with multiple attacks across various organizations. The latter saga unfolded in early December 2021, with the discovery of a flaw dubbed
Log4Shell
in
a widely used Java logging tool
. That spurred multiple exploits and made millions of applications vulnerable to attack, many of which
remain unpatched
today.
Supply chain attacks have become so prevalent that security administrators are looking for guidance about how to prevent and mitigate them, which both the public and
private sector
have been happy to offer.
Following
an executive order
issued by President Biden last year directing government agencies to improve the security and integrity of the software supply chain, the National Institute for Standards and Technology (NIST) earlier this year
updated its cybersecurity guidance
for addressing software supply chain risk. The
publication
includes tailored sets of suggested security controls for various stakeholders, such as cybersecurity specialists, risk managers, systems engineers, and procurement officials.
Security professionals also have
offered organizations advice
on how to better secure the supply chain, recommending that they take a zero-trust approach to security, monitor third-party partners more than any other entity in an environment, and choose one supplier for software needs that offers frequent code updates.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Supply Chain Attack Pushes Out Malware to More than 250 Media Websites