Researchers at Proofpoint disclosed in a Tweet Wednesday that more than 250 U.S. news organizations have accessed malicious SocGholish malware in what could potentially become a very dangerous supply chain attack.
In the Tweet, Proofpoint said it observed intermittent injections on a media company that serves video and advertising services to many major news outlets. The targeted media company serves content via Javascript to its partners, and by modifying the codebase of this otherwise benign Javascript, the threat actors used the media company to deploy the SocGholish malware.
SocGholish infections have historically served as a precursor to ransomware and some instances where stealers and keyloggers have been deployed. End stage payloads are variable based on victim profile and ongoing relationships with other threat actors utilizing Russian-linked TA569 for initial access.
Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said while they are unable to disclose information related to the targeted media company, the company in question provides both video content and advertising to major news outlets.
DeGrippo said while the threat actor has a demonstrated history of compromising content management systems (CMS) and hosting accounts, at this time, Proofpoint does not have evidence supporting the initial access vector, which likely occurs outside of mailflow.
“TA569 has previously leveraged media assets to distribute SocGholish, and this malware can lead to follow-on infections, including potential ransomware,” said DeGrippo. “The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation. Fixing the problem once isn't enough. It’s worth remembering that website security is reliant on a network of assets and services, and that no matter how robust your security is, it's only as good as the third-party assets you’re importing.”
DeGrippo said the site in question was first observed hosting the TA569 inject within the last 24 hours. The media company targeted has been informed and has been investigating. Only the targeted media company knows the full total of affected media organizations.
“Even with remediation we have seen TA569 reinfect the same assets days later so continued targeting of this company and others is probable,” DeGrippo said. “Supply chain attacks like this where one compromised asset can push out compromises to the entire network has proven to be a successful business model for threat actors. Media companies who are a pivot point in the news industry need to be wary.”
Activity linked to Russia-aligned threat actor as Election Day nears in U.S.
TA569 is believed to be a Russian-aligned threat actor, said Jason Hicks executive advisor and Field CISO at Coalfire. Hicks said given their alignment with a nation-state, it’s not surprising they are attacking media organizations.
Hicks said also given the proximity to Election Day, he expects to see an uptick in this kind of activity given the previous actions taken during previous U.S. elections. Media organizations have a wealth of information that’s of interest to foreign intelligence actors, said Hicks. Sources for stories that are critical of their government, or simply knowing an unfavorable article will get published would be of interest, said Hicks.
“It also gives them access to information before it becomes public, which would be useful for both awareness and investment purposes,” Hicks said. “Often these organizations are going to be easier to penetrate than the companies and government agencies they are reporting on, so attacking them is a quicker and easier way to collect useful information. Also, by infecting a service provider that caters to many organizations they can quickly expand their footprint and collect data from a wider variety of sources. Media organizations are also easier targets since they lack any significant regulatory burden around security.”
News organizations vulnerable to supply chain attacks
Dan Vasile, vice president of strategic development at BlueVoyant and former vice president of information security at Paramount, explained that the reported incident most definitely falls into the category of a supply chain attack. Vasile said the attack is similar, yet different to the well-known and costly Kaseya and SolarWinds incidents, abusing the trust customers have to have in their digital suppliers.
Vasile noted that BlueVoyant’s recent research on the media industry found security weaknesses and vulnerabilities across a number of vendors that support the media industry, suggesting that, as an industry, media faces significant cybersecurity challenges. In this case, Vasile said the malicious actor targeted the distribution section of the value chain, which is how content gets to broadcast and streaming services.
“All the actors further down the supply chain, such as news outlets, publishers and their customers, have been impacted,” Vasile said. “There are strong incentives for websites to load JavaScript, which is how reportedly the attack started, from remote sources including for performance and extra functionality. However, any compromise at the third-party level will propagate instantly to all sites using the infected JavaScript code, exposing their customers.”
John Bambenek, principal threat hunter at Netenrich, said he’s seen a little uptick in attacks on media companies right now. Whether it’s transient, or part of the usual ebb and flow of attacks, remains to be seen, said Bambenek.
“The real driver here is the use of vulnerable CMS servers (also popular in media companies) to push traffic as part of traffic delivery systems,” Bambenek said. “They are an important point of the exploit chain typically targeted towards end consumers.”
Proofpoint’s disclosure comes on the heels of last’s week’s incidents at the New York Post and Thomsen Retuers.
SC Media reported last Friday that the website and Twitter account of the N.Y. Post was hacked by an insider, whom the paper subsequently fired. And Thomson Reuters reportedly left at least three of its databases open on the public internet. One of the open instances was 3 terabytes of a public-facing ElasticSearch database that contained sensitive data across the company’s platforms.
