Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

NBC Websites Hacked To Serve Citadel Financial Malware

RedKit exploit kit launched drive-by malware attacks from NBC websites, targeted vulnerabilities in Java and Adobe Reader.

Multiple NBC websites were compromised by online attackers and used to launch drive-by attacks at visitors Thursday.

"At 16:43 CET [12:43 EST] this afternoon we noticed that the NBC.com website links to the redkit exploit kit that is spreading Citadel malware, targeting U.S. financials (sic) institutions," warned security analyst Barry Weymes at Dutch security firm Fox-IT in a Thursday blog post. "This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on virustotal.com."

Malware-spewing NBC websites included the sites for Late Night with Jimmy Fallon and Jay Leno's Garage, according to a blog posted by Tony Perez, COO of security software vendor Sucuri.

In short order, Google was blocking some NBC websites from search results, warning that they appeared to be infected with malware. While some reports suggested that NBC expunged the malware after just 15 minutes, multiple security researchers reported that the infections persisted for at least four hours.

[ Attend Interop Las Vegas, May 6-10, and get the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500. ]

Attackers appeared to have compromised the NBC websites using the RedKit attack toolkit, which then targeted users with attacks designed to exploit vulnerabilities in their Java browser plug-in, or Adobe Reader. The remotely exploitable Java bug (CVE-2013-0422) being targeted was discovered in January and patched last month. Meanwhile, the malicious PDF file served up by the malware was recognized Friday morning by only six out of 46 antivirus software packages, according to VirusTotal. Initial reports on the attack from security researchers didn't disclose if the Adobe Reader bug was a zero-day flaw, or previously discovered bug.

The iframe used in the attack called on an ever-changing list of external URLs to load attack code. "This tells us that something on the server is generating the payload," said Sucuri's Perez in his Thursday blog post. "This isn't an uncommon practice, it also tells us that the script is likely still on the box. The fact that it's impacting other sites tells us that the compromise might extend beyond the Web application and onto the server. If those other sites are stored on separate boxes then we're looking at a much bigger, network, compromise, but that is speculative at the moment."

By infecting a high-profile site such as NBC.com, which is one of the top 600 most popular sites in the United States, attackers had the opportunity to quickly infect numerous visitors. "Targeting media and news websites can vastly improve an attacker's chances of success," according to Fox-IT's Weymes, which was one of the first organizations to spot the attack. "Users presume these large organizations' websites to be free from malware. If an attacker can gain access to these Web servers, they can use them to distribute malware to every visitor of that Web server."

Attackers made the most of their exploit window, using RedKit to target PCs with up to three different exploit kits, including the Citadel crimeware toolkit, which is designed to steal financial information. According to Fox-IT, the attackers were targeting account details for numerous U.S. financial institutions, including American Express, Bank of America, Chase, Citibank, Citizensbank Online, Fifth Third Bank, Navy Federal Credit Union, PNC, Schwab, Suntrust, TD Ameritrade, USAA and Wells Fargo.

The drive-by NBC website attacks also infected some visitors with ZeroAccess malware, which is used to launch clickjacking attacks that generate fake pay-per-click revenues for botnet controllers or their clients. "ZeroAccess is a dangerous threat that uses stealth techniques in order to hinder its detection and removal," said SurfRight security researcher Erik Loman in a blog post.

RedKit served up a third piece of malware which has yet to be identified. "Some antivirus vendors identify this malware as Zbot or a rootkit ... but it is most definitely not Zbot and it's not a rootkit either," Loman said. "The malware binary has a curious name at the end 'SadokBdi,'" which may connect it to previously seen malware known as "Sadok."

The timing of the high-profile NBC attack may be tied to Oracle and Adobe having recently released patches for multiple critical vulnerabilities in Java, Reader and Acrobat. Once vendors release a patch, criminals often reverse-engineer the fix to reveal the underlying vulnerability, which they then begin targeting. Anyone who doesn't quickly update their software thus remains highly vulnerable to having their PC compromised by an attacker, which can lead to their personal financial account information being stolen, keystrokes recorded and their PC being made to serve as part of a botnet.

Owing to many users failing to update the Java Runtime Environment installed on their PCs, Java bugs in particular remain quite popular with -- and effective for -- attackers.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
2/22/2013 | 8:52:22 PM
re: NBC Websites Hacked To Serve Citadel Financial Malware
Put the malware on NBC's prime time schedule and it will be canceled within two episodes.

Jim Donahue
Copy Chief
InformationWeek
Deirdre Blake
50%
50%
Deirdre Blake,
User Rank: Apprentice
2/22/2013 | 3:35:18 PM
re: NBC Websites Hacked To Serve Citadel Financial Malware
Bummer, I there'll be no slow jamming the news today.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3693
PUBLISHED: 2020-01-24
A symlink following vulnerability in the packaging of mailman in SUSE SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12; openSUSE Leap 15.1 allowed local attackers to escalate their privileges from user wwwrun to root. Additionally arbitrary files could be changed to group mailman. Th...
CVE-2019-3687
PUBLISHED: 2020-01-24
The permission package in SUSE SUSE Linux Enterprise Server allowed all local users to run dumpcap in the "easy" permission profile and sniff network traffic. This issue affects: SUSE SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 t...
CVE-2019-3692
PUBLISHED: 2020-01-24
The packaging of inn on SUSE SUSE Linux Enterprise Server 11; openSUSE Factory, Leap 15.1 allows local attackers to escalate from user inn to root via symlink attacks. This issue affects: SUSE SUSE Linux Enterprise Server 11 inn version 2.4.2-170.21.3.1 and prior versions. openSUSE Factory inn versi...
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...