Blog of News Site “The Independent” Hacked, Leads to TeslaCrypto Ransomware
NOTE: This is a developing story. Please watch this space for updates as we continue to dig into the technical details of this attack.
The blog page of one of the leading media sites in the United Kingdom, “The Independent” has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident and are working with them to contain the situation. For their part, the news website staff was quick to respond and take action to mitigate the risk this event posed to the website itself and its user base.
It should be noted that only the blog part of the website–which uses WordPress–is impacted; the rest of The Independent’s online presence seem unaffected. WordPress is a very popular blogging platform that has seen more than its fair share of attacks and compromises from threat actors and cybercriminals looking to infect users.
I stumbled upon this while monitoring the activity of Angler Exploit Kit. Based on my investigation, since at least November 21, the compromised blog page redirected users to pages hosting the said exploit kit. If a user does not have an updated Adobe Flash Player, the vulnerable system will download the Cryptesla 2.2.0 ransomware (detected by Trend Micro as RANSOM_CRYPTESLA.YYSIX).
The malware then changes the extension of encrypted files to “.vvv”.
The vulnerability involved in this particular instance is discovered to be CVE-2015-7645. This is also the latest vulnerability we detect to be added to Angler’s repertoire.
Figure 1. Our analysis showing the compromised blog page of The Independent
Figure 2. Screenshot of the ransom note
Angler Exploit Kit is the most active exploit kit to date that integrated Abobe Flash zero-day vulnerabilities related to the Hacking Team leak. In our 3Q threat roundup report, we observed a spike in the number of Angler-hosting links from May to September 2015.
We also tracked the number of hits to the TDS between compromised sites leading to Angler EK (not just The Independent blog) and have seen as many as 4,000 hits a day. The real number could be bigger.
Figure 3. Number of users redirected from compromised sites leading to Angler EK
We at Trend Micro have provided protection to user systems by blocking all known related malicious websites and detecting the final payload.
Additional insights and analysis by Feike Hacquebord, Brooks Li and David Agni.