Proofpoint researchers revealed in a Tweet Wednesday that more than 250 US news organizations have accessed SocGholish malware in what could potentially become a very dangerous supply chain attack.
SocGholish infections have historically served as precursors to ransomware and some instances where thieves and keyloggers have been deployed. Endgame payloads vary depending on victim profile and ongoing relationships with other threat actors using the Russian-linked TA569 for initial access.
Sherrod DeGrippo, vice president of research and threat detection at Proofpoint, said that while they are unable to release any information related to the targeted media company, the company in question provides both video content and advertising to major news outlets.
DeGrippo said that although the threat actor has a demonstrated history of compromising content management systems (CMS) and hosting accounts, at this time Proofpoint does not have any evidence to support of the initial access vector, which probably occurs outside of the mail flow.
“TA569 has previously leveraged media assets to distribute SocGholish, and this malware may lead to subsequent infections, including potential ransomware,” DeGrippo said. “The situation needs to be closely monitored, as Proofpoint observed that TA569 re-infects the same assets just days after remediation. Solving the problem once is not enough. It’s worth remembering that website security depends on a network of assets and services, and no matter how robust your security is, it’s only as good as the third-party assets you import.
DeGrippo said the site in question was first observed hosting the TA569 injection in the past 24 hours. The targeted media company was notified and investigated. Only the targeted media company knows the total number of media organizations involved.
“Even with remediation, we saw TA569 re-infect the same assets days later, so continued targeting of this company and others is likely,” DeGrippo said. “Supply chain attacks like this, where a compromised asset can spread compromises throughout the network, have proven to be a successful business model for threat actors. Media companies that are a kingpin in the information industry should beware.
Russian-aligned threat actor activity in the run-up to Election Day in the United States
TA569 is considered a Russian-aligned threat actor, said Jason Hicks, executive advisor and field CISO at Coalfire. Hicks said given their alignment with a nation state, it’s no surprise that they attack media organizations.
Hicks also said that given the proximity of Election Day, he expects to see an increase in this type of activity given previous actions taken in previous US elections. Media organizations have a wealth of information that is of interest to foreign intelligence actors, Hicks said. Sources of articles that are critical of their government, or simply know that an unfavorable article will be published would be interesting, Hicks said.
“It also gives them access to information before it becomes public, which would be useful for both advocacy and investment purposes,” Hicks said. “Often these organizations will be easier to break into than the companies and government agencies they report to, so attacking them is a quicker and easier way to gather useful information. Additionally, by infecting a service provider that s caters to many organizations, it can quickly expand its footprint and collect data from a wider variety of sources.Media organizations are also easier targets because they have no significant regulatory burden when it comes to security.
News organizations vulnerable to supply chain attacks
Dan Vasile, vice president of strategic development at BlueVoyant and former vice president of information security at Paramount, explained that the reported incident most likely falls into the category of supply chain attacks. Vasile said the attack is similar to, but different from, well-known and costly incidents at Kaseya and SolarWinds, abusing the trust customers should have in their digital providers.
Vasile noted that BlueVoyant’s recent research into the media industry revealed security weaknesses and vulnerabilities at a number of vendors who support the media industry, suggesting that as an industry, media face significant cybersecurity challenges. In this case, Vasile said the malicious actor was targeting the distribution section of the value chain, which is how content gets to broadcast and streaming services.
John Bambenek, principal threat hunter at Netenrich, said he has seen a slight increase in attacks against media companies at the moment. Whether this is transient or part of the usual ebb and flow of attacks remains to be seen, Bambenek said.
“The real driver here is the use of vulnerable CMS servers (also popular in media companies) to push traffic as part of traffic delivery systems,” Bambenek said. “They are an important point in the chain of exploitation generally aimed at end consumers.”
Proofpoint’s disclosure follows incidents last week at the New York Post and Thomsen Retuers.
SC Media reported last Friday that the NY Post’s website and Twitter account were hacked by an insider, whom the newspaper later fired. And Thomson Reuters reportedly left at least three of its databases open on the public Internet. One of the instances opened was 3 terabytes of a publicly available ElasticSearch database that contained sensitive data across the company’s platforms.