Malware, Threat Management, Vulnerability Management

Angler Exploit campaign infected at least 19 sites

Cyphort Labs spotted a new Angler Exploit campaign that has already infected at least 19 websites.

The campaign uses the bootstrapcdn.org redirector to send users to malicious payloads hosted on .co.uk websites, according to a May 17 blog post.

Cyphort Senior Director Threat Operations Nick Bilogorskiy said in the post the campaign started on May 9 and primarily infected web-based forums but has also infected the website of a credit union in Texas and the site of remote desktop program.

It's unclear how any of the sites were infected but researchers believe it may have been done via SQL injection or by compromising the FTP accounts of the sites and directly editing the HTML code, Bilogorskiy told SCMagazine.com, noting that it's possible more sites have been impacted.

Bilogorskiy said the exploit kit has most recently been spreading Locky and CryptXXX ransomware.

He said that several of the compromised forum sites ran VBulletin and attackers may have used vulnerabilities in the software to carry out the attacks.

“I think these websites were not targeted for any particular reason,” Bilogorskiy said. “They just happened to have weak security that allowed their compromise.”

To avoid infection, Bilogorskiy recommended users avoid infected websites, patch their browsers and applications and use a comprehensive security solution with behavioral detection.

Cyphort said it has reached out to the owners of the infected sites but has yet to hear back from them.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.