250 U.S-Based Websites, Including News Agencies, Infected as TA569 Compromises the Ad Supply Chain
The distribution of SocGholish malware by leveraging the near-ubiquitous JavaScript is yet another reminder of the threat from the software supply chain.
Cybercriminal group TA569 has modified and deployed malicious JavaScript code into hundreds of websites that are pushing the SocGholish malware onto machines that access them. According to Proofpoint, TA569 was able to compromise a media company that delivers content to these websites.
Proofpoint assessed that 250 U.S. websites are distributing the SocGholish malware through a compromised JavaScript code. These include major national and regional newspaper websites hailing from Boston, New York, Chicago, Miami, Washington, DC; Cincinnati, Palm Beach, etc., that accessed said code owned by a media company.
“The actual number of impacted hosts is known only by the impacted media company,” Proofpoint said. Leveraged across 98% of websites currently, JavaScript enjoys near ubiquity, forming the backbone of how content is delivered on the world wide web. The programming language is the latest tool that threat actors are using to distribute the five-year-old malware.
“SocGholish, or ‘TA569’ has spread malware in various ways over the years ranging from websites running vulnerable versions of WordPress and Drupal, QNAP Worms like Raspberry Robin, and lately through supply chain compromise of a thus unnamed media company used by multiple new organizations,” Chris Clements, VP of solutions architecture at cybersecurity company Cerberus Sentinel, told Spiceworks.
The compromised JavaScript codebase owned by the media company is possibly used to deliver advertising videos and any other content type. “The actors took advantage of sites’ capability to parse JavaScript and managed to inject their code. JavaScript is one of the methods web users share information in the background, so it’s very widespread,” Terry Olaes, senior technical director at Skybox Security, told Spiceworks.
“By compromising a seemingly trusted site, they have a wide range of victims that can be further exploited for spreading malware, obfuscating traces, and other nefarious deeds,” Olaes added.
SocGholish, also known as FakeUpdates, has existed since 2018 and is widely associated with the Russia-based cybercriminal entity Evil Corp, which uses it as a loader for WastedLocker ransomware. SocGholish is also known to be used as a loaded for NetSupport RAT and BLISTER, and other malware.
Besides serving as a vehicle for ransomware, trojans, and other malware, SocGholish also serves other malicious purposes. Clements explained to Spiceworks, “Once triggered, SocGholish employs multiple different ways for the threat actor to harvest any user passwords and achieve total remote control over the victim’s computer based on its disposition.”
“Notably, the threat actor will employ different means of post-victim compromise steps depending on whether it appears to be part of a corporate network or not, based on the machine’s status as an Active Directory joined computer or not. Most often by downloading and leveraging legitimate remote access or management tools that are rarely flagged by endpoint antimalware defenses. It’s not entirely clear the specific goals of the threat actor.”
See More: 130 Dropbox Code Repositories Compromised in a Sophisticated Phishing Campaign
Olaes added that the threat actors could also try to establish persistence after infecting the target with SocGholish. Proofpoint clarified that the SocGholish payload on websites could vary depending on the time because TA569 removes and reinstates infected JavaScript injections on a rotating basis.
The company didn’t mention exactly how TA569 was able to compromise the media company sitting upstream of the news websites in the advertising chain. The distribution of SocGholish, first by exploiting an upstream organization and then by leveraging the near-ubiquitous JavaScript, is yet another reminder of the threat from the software supply chain and the need to secure it.
How can netizens stay safe from SocGholish?
Olaes advised users to disable JavaScript in web browsers. However, JavaScript is indispensable to the latest websites and is used by web developers to create interactive and dynamic webpages with animation and multimedia for desktop, mobile and other environments. Disabling JavaScript can render 98% of websites functionally useless or aesthetically pointless.
“If that’s not tolerable, then use a VM or VDI to serve as a browsing machine that will automatically be deleted after the session. This creates separation from the actual host and the web-facing edge and eliminates the usefulness of being compromised by taking down and wiping the browsing box.”
Clements pointed out the functional elements of SocGholish and advised users should keep an eye out for relevant indicators of attempted infiltration. “SocGholish, in particular, seems to rely on pushing fake update messages about out-of-date installs of web browsers or flash plugins.”
“These work because users are used to being inundated with similar legitimate messaging over the years, but the important difference is that these are rarely encountered anymore on websites themselves. Rather, update messages are often conveyed in windows chrome or via taskbar messages.”
“Nowadays, it’s become prudent to ignore any such warnings from websites directly as these software packages usually include auto-update mechanisms. When in doubt, simply reboot your computer and the latest updates will usually be installed. For other situations, make sure you visit the software vendor’s site directly.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON MALWARE AND CYBER THREATS
