Security Alert: 142 Million Legitimate Websites Could Deliver Ransomware
Commercial exploit kits prove their ability to evade detection once more
Heimdal Security has observed an increase in malicious scripts injected into legitimate websites that redirect Internet users to the Neutrino exploit kit server when accessed.
This attack is carried out by systemically compromising websites which run an outdated CMS (content management system) or outdated plugins. The cyber attack is mainly directed at websites built on WordPress, and the consequences could be dire.
According to the statistics:
WordPress is used by 58.7% of all the websites whose content management system we know. This is 24.3% of all websites.
Since there are almost 1 billion websites in the world, the figure of potentially compromised websites could rise to over 142 million.
Moreover, over 20% of WordPress-based websites run an outdated version of the famous CMS.
Even websites that run the latest version of WordPress could be vulnerable to this attack if they run outdated plugins and lack in proper security settings.
With over 409 million people reading WordPress blogs each month (source), the number of potential ransomware victims could be disturbingly high.
And keep in mind that the attack is not solely directed towards WordPress-based websites, so the impact could be even bigger.
How the malicious script injection attack works
The malicious script injected on the targeted website references a halfway house on the following domain (sanitized by Heimdal Security): thedancingbutterfly [.] Com.
This domain redirects traffic towards the commercial exploit kit Neutrino, which then tries to force-feed the victim’s system with a Teslacrypt variant, a ransomware Trojan.
Neutrino will exploit writing condition vulnerabilities in Adobe Flash Player, Internet Explorer and Adobe Reader / Acrobat. All the mentioned vulnerabilities are recent and have a low antivirus detection rate because of the multilayer obfuscation system that Neutrino exploit kit uses.
This script injection redirects the victim to the following domain (sanitized by Heimdal Security):
nkzppqzzzumhoap [.] Ml
This domain is only marked as malicious by a few endpoint solutions, having a very low detection rate of 4/63 on VirusTotal.
Click here for the full VirusTotal page detection rates at the moment when the campaign was discovered.
The domain is delivered through its own name server ns1 and root, and is hosted in Netherlands by OpenTLD BV. The same server contains other toxic domains used in attacks that employ the Neutrino exploit kit.
Teslacrypt is a dangerous ransomware Trojan that encrypts a long list of file extensions that typically contain important data. After the encryption is complete, Teslacrypt will drop for each folder the following files:
restore_files_ [4 random letters] .txt
restore_files_ [4 random letters] .html
These files contain instructions on how to buy a decryption key using Bitcoins.
In addition, Teslacrypt adds the following file to all encrypted files:
Recovery_File_ [any text] .txt
At the same time, the ransomware will delete the shadow copy on the local disk by spawning a shell command: “C: \ WINDOWS \ system32 \ vssadmin.exe” delete shadows / all / Quiet “, whilst it also spreads to files in the shared network.
The following files will also be copied on the victim’s desktop:
Teslacrypt will then inject itself in the following processes: “iexplore.exe” and “cmd.exe”.
In this case, Teslacrypt will also pick up an infostealer that’s part of the Pony family via the following domain (sanitized by Heimdal Security):
light-tech [.] Pl.
We have already spotted 24 websites in Denmark which deliver the payload via the malicious script injection, and payloads are rotated constantly.
To make matters worse, antivirus detection of the Teslacrypt ransomware is low: 10/56.
The need for improved browser security and additional security tools that can supplement antivirus protection has never been greater, especially when dealing with constant ransomware threats.
Website administrators, bloggers and everyone who uses a CMS should once again understand that patching and installing the latest updates is key to ensuring basic cyber security for any type of website and platform, and that security provisions are not only essential for themselves, but for their readers as well.