An article reporting on the National Security Agency’s surveillance program on a Washington news site was compromised and directed users to a malicious site, Invincea warned on Monday.
An article from The Washington Free Beacon about the identity of a former contractor who leaked documents relating to the PRISM program has been compromising readers with a Java-based exploit kit, Invincea researchers discovered Monday morning. In addition to that article, the attackers had injected Javascript code, which builds an iframe to redirect inbound user traffic to a malicious site, in several other pages, including the main index page for The Free Beacon.
The infection and redirect is similar to “mass-media compromises” Invincea previously identified on wtop.com, federalnewsradio.com, dvorak.org, and nationaljournal.com, Invincea’s Eddit Mitchell wrote on the company blog late Monday afternoon. The Drudge Report has also linked to the NSA leaker story, exposing an even larger group of visitors to the site.
As of Tuesday morning, the site appeared to still be redirecting to malicious sites but was later fixed.
“Do NOT browse to freebeacon[.]com until further notice, as the site is still actively redirecting user traffic to malware. The Washington Free Beacon has been notified but have not confirmed not responded,” Invincea’s Mitchell wrote on Monday.
After being compromised, users who visited the Free Beacon site were redirected to a malicious site, which exploits a Java vulnerability to download ZeroAccess rootkit and a fake AV variant “Internet Security Pro” (ihdefender.exe) on the user computer. The malware also attempts to establish outbound communications with at least three other sites, according to Invincea’s technical analysis.
The malicious site appears to host the Fiesta exploit kit, the same Java kit that was observed in the compromise of nationaljournal.com earlier this spring. This latest incident appears to be just another attack that is “part of a concerted campaign against media sites,” Mitchell wrote.
While the toolkit and exploit method is the same as previous incidents, this attack is not currently being detected by a majority of the antivirus vendors because the signatures have changed, Mitchell said. Businesses should make sure they are running the latest version of Java on their machines, he recommended.