On Monday, Government Security News’ (GSN) Editor-in-Chief Jacob Goodwin told readers that the site had been the victim of a cyberattack, which was targeting visitors to the site with malware. As it turns out, more than 60 other sites were victimized by the same attack.
The GSN attack was initially noticed due to a warning issued by Google’s Chrome after someone attempted to view the site. Chrome, assuming Google is aware of the issue at the time, will flag domains that are confirmed to have malicious content on them.
In addition to GSN, Monday’s malware campaign targeted other media organizations, including a D.C. area radio station, by hijacking the advertising channel. The domains were not compromised, but the ad network itself was used to deliver the redirect code and malicious payload – a classic malvertising attack.
According to researchers at Zscaler, it is likely GSN was compromised for a few days before anyone noticed that googlecodehosting(.)com was serving malicious ads. However, Zscaler also noticed that the same malicious content was being delivered from the same domain, under the ORG and NET top-level domains, expanding the victim list to 65 additional domains.
The payload used during the attacks, a malicious JAR file, is targeting at least two separate Java vulnerabilities in order to install the ZeroAccess Trojan. A similar campaign targeting media domains was detected in May. The earlier campaign targeted WOTP Radio in Washington, D.C., as well as Federal News Radio, The Christian Post, Real Clear Science, and Real Clear Policy.
In each of the cases, the malicious code and payloads were being hosted on compromised WordPress sites, which as SecurityWeek reported earlier this week, have become a popular target due to flaws in third-party code.