Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2020
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Compromised Dozens of News Websites as Part of Ransomware Campaign

Malware used to download WastedLocker on target networks was hosted on legit websites belonging to one parent company, Symantec says.

Attackers recently compromised dozens of US newspaper websites belonging to the same parent company and used the sites to distribute malicious code for downloading ransomware on networks belonging to targeted organizations across multiple sectors.

Several major US organizations that were recently found infected with the malware appear to have been initially compromised when their employees visited one of the news websites, Symantec said.

The security vendor last week had reported discovering "SocGholish," a JavaScript-based malware masquerading as a software update, on networks belonging to at least 31 major enterprise customers. A Russia-based group called Evil Corp. is using the malware as part of an attack sequence to download a new ransomware strain called WastedLocker on target networks, Symantec had noted. 

Among the Symantec customers impacted in the campaign are 11 publicly listed organizations, including eight in the Fortune 500 list. A plurality of the victims are in the manufacturing sector, though organizations from other industries were hit as well, including financial services, healthcare, energy, and transportation. In each case, the attacks were detected and stopped before the ransomware deployed.

Had the attacks succeeded, the victims would have likely lost millions of dollars in downtime and damages. The attacks could also have had a cascading effect on the US supply chain, Symantec said. "The end goal of these attacks is to cripple the victim's IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion-dollar ransom," the vendor said in its report last week.

Evil Corp. is a well-known threat actor believed responsible for attacks — including those associated with Dridex and Zeus ransomware samples — that have cumulatively cost victims hundreds of millions of dollars in damages. A US federal court last year indicted two members of the gang on charges related to their long-standing criminal campaigns. Both remain at large — one of them with a $5 million US reward on his head.

In its initial report (updated this week), Symantec said its researchers had discovered at least 150 legitimate but previously hacked websites that were being used to host SocGholish and to download it on systems belonging to visitors to these sites.

According to the vendor, its continuing investigation of the campaign showed dozens of the compromised websites were actually news sites belonging to one parent company. Symantec notified the organization of the issue, and the malicious code has since been removed. The fact that as many as 31 of Symantec's enterprise customers were targeted in the attacks suggests that Evil Corp.'s overall WastedLocker campaign is very broad in scope, Symantec noted.

The NCC Group, which has also been tracking the WastedLocker campaign, has described it as targeted and beginning in May 2020. According to researchers from both Symantec and NCC Group, the attackers from Evil Corp. have been using a combination of custom tools and legitimate processes and services to deploy the ransomware to communicate with command-and-control servers and to move laterally on infected networks.

The tools being used in the campaign include PowerShell scripts, the PsExec Windows Sysinternals tool, and the Windows Management Instrumentation Command Line Utility (wmic dot exe), which is being used to disable real-time monitoring and scanning of downloaded files. In many of the attacks, the threat actors have attempted to disable Windows Defender and associated services before deploying the ransomware.

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.