Symantec has reported that foodies in India are being served up an unpalatable dish of ransomware after India restaurant recommendation site Burrp was compromised. Visitors to the site found themselves redirected to the Angler exploit kit (EK) which then downloaded the TeslaCrypt ransomware to their computers.
According to the Symantec blog by Aishwarya Lonkar, which goes into some detail about the breach, it claims: “The attack appears to be related to a technique described in a recent SANS advisory, as it used the gateway [MALICIOUS SITE].info/megaadvertize.” The SANS article by Brad Duncan makes for very interesting reading and will interest security pros.
What is worrying about this attack is that Lonkar claims it started in February and is still ongoing with many of its victims in either India or the US. Among the other countries where it has been detected are Russia, France, UK, Netherlands and Sweden. Symantec says that it has now notified Burrp of the problem and it is being rectified.
How was Burrp infected?
The attack is a little more complicated than just a quick download. In the blog it says that once the EK’s landing page has been decrypted using a key sent to the computer it: “..attempts to exploit the Microsoft Windows OLE Remote Code Execution Vulnerability(CVE-2014-6332). If the exploit succeeds, then the TeslaCrypt payload is dropped onto the computer.
“If the exploit doesn’t work, then the kit drops an .swf file with an exploit for the Adobe Flash Player and AIR Unspecified Integer Overflow Vulnerability (CVE-2015-8651) to download TeslaCrypt onto the computer.” The blog goes on to add that Angler has also been observed delivering exploits for the Microsoft Silverlight Remote Code Execution Vulnerability (CVE-2016-0034).
In effect the attackers are taking advantage of multiple potential exploits on the target computer. This approach of trying multiple attack vectors is not only interesting but likely to concern a lot of security teams. While patching inside enterprises has got better the number of computers entering the building under Bring Your Own Device (BYOD) programmes has grown faster. This means that enterprise IT teams are having to rely on users to patch their own hardware.
Burrp is not the first and it certainly won’t be the last website to be compromised. The fact that this attack has been going on for over a month before anyone told Burrp shows just how effective this attack vector is.
WordPress and Joomla sites have proven happy hunting grounds for cybercriminals looking for ways to get their malware to unsuspecting users. It is important that web teams inside organisations keep a check on their websites and that includes updating them when vulnerabilities are announced and regularly scanning for malware.