EXECUTIVE SUMMARY:

Due to a supply chain attack involving a service provider, hundreds of regional and national news websites in the U.S. are grappling with possible malware infections. More than 250 new sites have been affected, including those in Boston, New York, Chicago, Washington DC, Palm Beach, Miami and Cincinnati. The total victims’ list may be more extensive than experts can currently account for.

Newspaper website malware

As noted previously, cyber criminals have targeted an unnamed media company that provides services to many new outlets in the U.S. The outlet delivers content to partner organizations via a JavaScript file, which is then loaded by the news outlets’ websites. The cyber criminals maliciously modified the codebase of the script to deploy malware to news agency websites.

Who’s behind the attack

The malware used in the attack is known as SocGholish, also known as FakeUpdates. It has existed since 2017, and has infected 25,000 websites since January of this year. In 2021, the malware infected 61,000 sites. According to analysts, SocGholish is being used for ransomware distribution.

A group of cyber criminals, known as TA569, is behind the attack. The current situation requires close monitoring, as TA569 has previously reinfected a given company’s resources just days after a company has managed to complete remediation efforts.

Fraudulent software updates

Previously, the cyber crime gang known as Evil Corp used an eerily similar campaign to disrupt the daily activities of employees within more than 30 major U.S. private firms. At that point in time, Evil Corp sent out fake software updates that targeted newspaper websites’ computers and devices.

The infected machines were later used as stepping stones that allowed hackers to gain illicit enterprise network access. Once in systems, the criminals attempted to deploy the WastedLocker ransomware.

In what Microsoft has described as ‘pre-ransomware behavior,’ Evil Corp has also recently used SocGholish to backdoor networks infected with the Raspberry Robin malware.

Supply chain threats

This new media outlet incident represents yet another instance of attackers manipulating the software supply chain to infect code that is shared across several platforms. Past examples of software supply chain attacks with massive ‘ripple effects’ include the SolarWinds incident and the Log4J event.

Supply chain attack prevention

Software supply chain attacks are increasing in frequency and often feel unstoppable. Many security administrators are actively searching for guidance regarding how to prevent and mitigate software supply chain attacks. Best practices include:

1. Implementing least privilege. Many organizations assign excessive access and permissions to employees, partners and software. Excessive permissions render supply chain attacks easier to execute than needed. Implement least privilege and assign all individuals required permissions only.

2. Performing network segmentation. Third-party software and partner organizations do not need unfettered access to every area of a given network. Leverage network segmentation to break the network into zones based on business functions. This way, if a supply chain attack compromises part of the network, the remainder of the network remains protected.

3. Following DevSecOps practices. The integration of security into the development lifecycle means that it is possible to detect whether or not software has been maliciously modified.

4. Automating threat prevention and hunting. Security Operations Centers (SOC) analysts should protect against attacks across all of a given organization’s environments, including the endpoint, network, cloud and mobile environments.

Check Point’s Harmony Endpoint can help organizations protect against software supply chain threats. Learn more here. For more CyberTalk.org insights into software supply chain threats, please click here.

Lastly, discover new trends, expert interviews, cyber intelligence analysis and so much more when you subscribe to the CyberTalk.org newsletter.