1/31/2024 0 Comments Invincea web redirectorMicrosoft said that the issue is a remote code execution vulnerability. “We recommend you to search your logs for connections to those domains and IP addresses,” Blasco noted. “As such the this compromise is now widely believed to be a watering hole attack that involves compromising one Federal department (DoL) to target another (DoE),” said Invincea researcher Eddie Mitchell, in a blog.ĪlienVault also detected several redirections to another malicious server located at (IP address 198.96.92.107), that was serving parts of the malicious payloads. Invincea also reported that the web pages that were compromised on the DoL site were actually intended for Department of Energy employees (and their DoL representatives) in dealing with nuclear-related illnesses linked to DoE facilities and the toxicity levels at each location. The list of affected sites includes several non-profit groups and institutes, as well as “a big European company that plays on the aerospace, defense and security markets,” said Blasco. “It was confirmed by Microsoft, released a Security Advisory on Friday, and also FireEye and Invincea.”ĪlienVault also found that the US Department of Labor website wasn’t the only entity affected – at least nine other websites were redirecting to the malicious server at the same time. “Further analysis showed that the vulnerability exploited wasn’t CVE-2012-4792 but a new ,” said AlientVauly researcher Jaime Blasco, in a blog. The AlienVault research team (and other companies) had originally reported that the exploited vulnerability was a known flaw, CVE-2012-4792, raising serious security protocol questions, but now, the zero-day has been confirmed as the culprit. The C&C protocol, AlienVault said, also matches with a backdoor Chinese APT called DeepPanda. The kit targets Java vulnerabilities and installs a number of dangerous Trojans, including Zeus, Dorkbot, Necurs and a number of click-fraud malware, according to Dutch security company Fox-IT, which reported the incident to Yahoo last week.The DoL site was last week found to be compromised and was hosting malicious code believing to be a variant of the Poison Ivy remote access trojan (RAT). The malicious ads in the Yahoo attack were served from a number of different domains, including two registered on New Year’s Day, and redirected victims to sites hosting the Magnitude Exploit Kit. 30 and when the attack stopped this week. Yahoo, meanwhile, removed the malicious ads infecting users in a number of European countries, primarily Romania, Great Britain and France, but not before an estimated 27,000 infections per hour took place between Dec. Some ransomware attacks lock down computers and inform the user they’re machine has been taken over by law enforcement because of some illicit activity online and they victim must pay a ransom to get their computer unlocked. Other scams, such as ransomware infections, build off this same premise but are much more sinister in that they use harsher tricks to get the user to install the malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection. If the user agrees, they’re asked to run a file which is the malicious executable.įake AV scams have been in circulation for years generally victims are tricked into installing what they think is security software but is instead malware. The victim is then presented with a dialog box that offers to clean the computer of the problem. When the user lands on the DailyMotion home page, an invisible iframe redirects to the scam which warns the user of a critical process that must be cleaned to prevent system damage. ![]() Invincea said that the malicious ads redirect to a third-party domain in Poland called webantivirusprorhpl (9311582adzerknet. Earlier, Yahoo sites in Europe were serving ads that dropped an iframe sending users to domains hosting the Magnitude exploit kit, which then seeded victims with a host of financial malware.ĭailyMotion attracts 17 million monthly visitors and is the 95 th-ranked website according to Alexa. This is the second malvertising attack reported this week. ET, DailyMotion was still serving the fake AV malware. Security firm Invincea reported the issue to the website, and as of 4 p.m. ![]() Video-sharing site DailyMotion, one of the most popular destinations on the Web, is in the throes of an attack where it is serving malicious ads redirecting users to a fake AV scam.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |