Security researchers have observed that a Guardian newspaper article exploring the various facets of cybercrime is redirecting visitors to a webpage hosting the Angler exploit kit.
FireEye’s J. Gomez, Kenneth Hsu, Kenneth Johnson explain their findings in a post published on the firm’s blog.
“FireEye Labs recently spotted a 2011 article on cybercrime from the news site theguardian[.]com that redirects users to the Angler Exploit Kit. Successful exploitation by Angler resulted in a malware infection for readers of the article.”
As our readers might recall, Angler is just one of several exploit kits whose activity rose 75% in the third quarter of this year as compared to Q3 of 2014.
This is in spite of the fact that researchers with Cisco’s Talos Security Intelligence and Research Group disrupted part of the exploit kit’s infrastructure earlier this fall.
Ironically (or perhaps not so much), the Guardian article redirecting to Angler is a piece by Misha Glenny entitled “Cybercrime: is it out of control?”
As if in direct response to the headline, a syndication link loaded in the background of the article eventually redirects visitors to a landing page for the Angler exploit kit using injected HTML.
In this particular attack, it would appear that Angler has a soft spot for older vulnerabilities. One of the bugs exploited is CVE-2014-6332, the Windows OLE Automation Array Remote Code Execution Vulnerability covered in Microsoft’s MS14-064 patch around this time last year which affects Internet Explorer versions 3-11 and allows an attacker to bypass operating system security utilities and other protections.
A malicious actor can exploit this bug using VBScript via an impressive-sounding “GodMode” method to achieve out-of-bounds memory access in an array. This in turn allows for arbitrary code execution.
Angler also embeds a Flash object on the page at runtime and reserves the right to serve up an exploit targeting Adobe’s software. Before it conducts any exploitation, however, the kit first scans for any anti-virus analysis tools and/or a malicious VBScript exploit, writes SC Magazine. If either is detected, Angler will modify its behavior and could terminate before any exploitation has taken place.
According to The Register, folks at The Guardian are aware of FireEye’s findings and are currently working to fix the hack.
News of this infection arrived just one day after Joseph C. Chen, a fraud researcher with Trend Micro, observed that blog pages at The Independent newspaper were also redirecting visitors to Angler. In this case, if users were running an out-of-date version of Adobe Flash Player, the exploit kit would download the TeslaCrypt 2.2.0 ransomware onto their PCs.
As of the evening of December 9th, it was observed that The Independent’s WordPress-running blog was redirecting all users to its main site which was not troubled by the infection.
These two incidents reveal how no one - not even news organizations - can consider themselves completely safe from malware.
And that means that internet users who catch up with the news online need to be careful too.
In both instances, Angler relies on old vulnerabilities to infect unpatched machines. This just goes to show how important it is to install all software patches as soon as they become available. Trust me. It could save you a massive headache in the future.