Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Washington Free Beacon Compromised to Serve Malware

An article reporting on the National Security Agency’s surveillance program on a Washington news site was compromised and directed users to a malicious site, Invincea warned on Monday.

An article reporting on the National Security Agency’s surveillance program on a Washington news site was compromised and directed users to a malicious site, Invincea warned on Monday.

An article from The Washington Free Beacon about the identity of a former contractor who leaked documents relating to the PRISM program has been compromising readers with a Java-based exploit kit, Invincea researchers discovered Monday morning. In addition to that article, the attackers had injected Javascript code, which builds an iframe to redirect inbound user traffic to a malicious site, in several other pages, including the main index page for The Free Beacon.

The infection and redirect is similar to “mass-media compromises” Invincea previously identified on wtop.com, federalnewsradio.com, dvorak.org, and nationaljournal.com, Invincea’s Eddit Mitchell wrote on the company blog late Monday afternoon. The Drudge Report has also linked to the NSA leaker story, exposing an even larger group of visitors to the site.

As of Tuesday morning, the site appeared to still be redirecting to malicious sites but was later fixed.

“Do NOT browse to freebeacon[.]com until further notice, as the site is still actively redirecting user traffic to malware. The Washington Free Beacon has been notified but have not confirmed not responded,” Invincea’s Mitchell wrote on Monday.

After being compromised, users who visited the Free Beacon site were redirected to a malicious site, which exploits a Java vulnerability to download ZeroAccess rootkit and a fake AV variant “Internet Security Pro” (ihdefender.exe) on the user computer. The malware also attempts to establish outbound communications with at least three other sites, according to Invincea’s technical analysis.

The malicious site appears to host the Fiesta exploit kit, the same Java kit that was observed in the compromise of nationaljournal.com earlier this spring. This latest incident appears to be just another attack that is “part of a concerted campaign against media sites,” Mitchell wrote.

While the toolkit and exploit method is the same as previous incidents, this attack is not currently being detected by a majority of the antivirus vendors because the signatures have changed, Mitchell said. Businesses should make sure they are running the latest version of Java on their machines, he recommended.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

NSA has announced Kristina Walter as the new chief of the agency's Cybersecurity Collaboration Center.

More People On The Move

Expert Insights