Blog of News Site “The Independent” Hacked, Leads to TeslaCrypt Ransomware

This is a developing story. Please watch this space for updates as we continue to dig into the technical details of this attack.

Updated on December 8, 2015, 7:15 PM PST (UTC -8): We have edited this entry to reflect the current status of communications with The Independent and the current threat. As of this writing, the site is still compromised and serving various malware threats to users.

The blog page of one of the leading media sites in the United Kingdom, The Independent has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident. However, the site is still currently compromised and users are still at risk.

It should be noted that only the blog part of the website–which uses WordPress–is impacted; the rest of The Independent’s online presence seem unaffected. WordPress is a very popular blogging platform that has seen more than its fair share of attacks and compromises from threat actors and cybercriminals looking to infect users.

I stumbled upon this while monitoring the activity of Angler Exploit Kit. Based on my investigation, since at least November 21, the compromised blog page redirected users to pages hosting the said exploit kit. If a user does not have an updated Adobe Flash Player, the vulnerable system will download the Cryptesla 2.2.0 ransomware (detected by Trend Micro as RANSOM_CRYPTESLA.YYSIX).

The malware then changes the extension of encrypted files to “.vvv”.

The vulnerability involved in this particular instance is discovered to be CVE-2015-7645. This is also the latest vulnerability we detect to be added to Angler’s repertoire.

neo_independent_figure1

Figure 1. Our analysis showing the compromised blog page of The Independent

neo_independent_figure2

Figure 2. Screenshot of the ransom note

Angler Exploit Kit is the most active exploit kit to date that integrated Abobe Flash zero-day vulnerabilities related to the Hacking Team leak. In our 3Q threat roundup report, we observed a spike in the number of Angler-hosting links from May to September 2015.

We also tracked the number of hits to the TDS between compromised sites leading to Angler EK (not just The Independent blog) and have seen as many as 4,000 hits a day. The real number could be bigger.

new_independent_graph

Figure 3. Number of  users redirected from compromised sites leading to Angler EK

We at Trend Micro have provided protection to user systems by blocking all known related malicious websites and detecting the final payload.

Additional insights and analysis by Feike Hacquebord, Brooks Li and David Agni.

Read more: Blog of News Site “The Independent” Hacked, Leads to TeslaCrypt Ransomware

Story added 8. December 2015, content source with full text you can find at link above.