Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Washington Free Beacon Compromised to Serve Malware

An article reporting on the National Security Agency’s surveillance program on a Washington news site was compromised and directed users to a malicious site, Invincea warned on Monday.

An article reporting on the National Security Agency’s surveillance program on a Washington news site was compromised and directed users to a malicious site, Invincea warned on Monday.

An article from The Washington Free Beacon about the identity of a former contractor who leaked documents relating to the PRISM program has been compromising readers with a Java-based exploit kit, Invincea researchers discovered Monday morning. In addition to that article, the attackers had injected Javascript code, which builds an iframe to redirect inbound user traffic to a malicious site, in several other pages, including the main index page for The Free Beacon.

The infection and redirect is similar to “mass-media compromises” Invincea previously identified on wtop.com, federalnewsradio.com, dvorak.org, and nationaljournal.com, Invincea’s Eddit Mitchell wrote on the company blog late Monday afternoon. The Drudge Report has also linked to the NSA leaker story, exposing an even larger group of visitors to the site.

As of Tuesday morning, the site appeared to still be redirecting to malicious sites but was later fixed.

“Do NOT browse to freebeacon[.]com until further notice, as the site is still actively redirecting user traffic to malware. The Washington Free Beacon has been notified but have not confirmed not responded,” Invincea’s Mitchell wrote on Monday.

After being compromised, users who visited the Free Beacon site were redirected to a malicious site, which exploits a Java vulnerability to download ZeroAccess rootkit and a fake AV variant “Internet Security Pro” (ihdefender.exe) on the user computer. The malware also attempts to establish outbound communications with at least three other sites, according to Invincea’s technical analysis.

The malicious site appears to host the Fiesta exploit kit, the same Java kit that was observed in the compromise of nationaljournal.com earlier this spring. This latest incident appears to be just another attack that is “part of a concerted campaign against media sites,” Mitchell wrote.

While the toolkit and exploit method is the same as previous incidents, this attack is not currently being detected by a majority of the antivirus vendors because the signatures have changed, Mitchell said. Businesses should make sure they are running the latest version of Java on their machines, he recommended.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...