Blog of News Site “The Independent” Hacked, Leads to TeslaCrypt Ransomware
This is a developing story. Please watch this space for updates as we continue to dig into the technical details of this attack.
Updated on December 8, 2015, 7:15 PM PST (UTC -8): We have edited this entry to reflect the current status of communications with The Independent and the current threat. As of this writing, the site is still compromised and serving various malware threats to users.
The blog page of one of the leading media sites in the United Kingdom, The Independent has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident. However, the site is still currently compromised and users are still at risk.
It should be noted that only the blog part of the website–which uses WordPress–is impacted; the rest of The Independent’s online presence seem unaffected. WordPress is a very popular blogging platform that has seen more than its fair share of attacks and compromises from threat actors and cybercriminals looking to infect users.
I stumbled upon this while monitoring the activity of Angler Exploit Kit. Based on my investigation, since at least November 21, the compromised blog page redirected users to pages hosting the said exploit kit. If a user does not have an updated Adobe Flash Player, the vulnerable system will download the Cryptesla 2.2.0 ransomware (detected by Trend Micro as RANSOM_CRYPTESLA.YYSIX).
The malware then changes the extension of encrypted files to “.vvv”.
The vulnerability involved in this particular instance is discovered to be CVE-2015-7645. This is also the latest vulnerability we detect to be added to Angler’s repertoire.
Figure 1. Our analysis showing the compromised blog page of The Independent
Figure 2. Screenshot of the ransom note
Angler Exploit Kit is the most active exploit kit to date that integrated Abobe Flash zero-day vulnerabilities related to the Hacking Team leak. In our 3Q threat roundup report, we observed a spike in the number of Angler-hosting links from May to September 2015.
We also tracked the number of hits to the TDS between compromised sites leading to Angler EK (not just The Independent blog) and have seen as many as 4,000 hits a day. The real number could be bigger.
Figure 3. Number of users redirected from compromised sites leading to Angler EK
We at Trend Micro have provided protection to user systems by blocking all known related malicious websites and detecting the final payload.
Additional insights and analysis by Feike Hacquebord, Brooks Li and David Agni.
Read more: Blog of News Site “The Independent” Hacked, Leads to TeslaCrypt Ransomware