Researchers at Trend Micro found that the blog of the U.K. newspaper The Independent was hacked, and the blog redirects to pages containing the Angler Exploit Kit.
According to a blog posted by Trend Micro fraud researcher Joseph C. Chen, the malware was silently injected into the system of readers who visited The Independent's blog since at least November 21. Readers using systems that did not contain an updated Adobe Flash Player loaded the malware, Chen wrote.
The malware targets the CVE-2015-7645 vulnerability, a critical vulnerability in Flash Player that Adobe patched in October. On Monday, researchers at Malwarebytes discovered a malvertising attack on DailyMotion using the WWWPromoter network that targeted the same vulnerability.
In November 2014, The Independent, along with several other publications, was hacked by the Syrian Electronic Army, using the Gigya platform, a third-party marketing service owned by GoDaddy. The Syrian Electronic Army (SEA) also hacked Forbes, in another attack in February 2014.
“While we've seen a significant uptick in ransomware against commercial enterprises, this incident is unique in that the malware is being delivered via a ‘watering hole' from a major media site,” wrote Tom Kellermann, Trend Micro's chief cybersecurity officer, in an email obtained by SCMagazine.com, “By combining techniques, criminals have increased their base of potential victims with a very effective attack.”
Last month, Menlo Security published the results of a study that found 15 of the UK's top 50 websites run vulnerable servers. “This is a huge issue across the broader Web where site owners often neglect patching their software and ensuring they are running the most up-to-date software,” wrote Kowsik Guruswamy, CTO for Menlo Security, in an email obtained by SCMagazine.com. Guruswamy noted that many enterprises whitelist popular sites such as The Independent “as they are seemingly safe.”
The Independent ranks in the top 500 Alexa global sites. “Enterprises need to be controlling access to the Web based on threats, like sites serving Flash or running vulnerable software, and not just based on categories, like news, entertainment, or Alexa rank,” Guruswamy wrote.