Supply Chain Attack Pushes Out Malware to More Than 250 Media Websites

TA569 has modified the JavaScript of a legitimate content and advertising engine used by news affiliates, in order to spread the FakeUpdates initial access framework.

2 Min Read
Supply Chain Attack Pushes Out Malware to More Than 250 Media Websites
Alamy

The cyber-threat threat actor known as TA569, or SocGholish, has compromised JavaScript code used by a media content provider in order to spread the FakeUpdates malware to major media outlets across the US.

According to a series of tweets from the Proofpoint Threat Research Team posted late Wednesday, the attackers have tampered with the codebase of an application that the unnamed company uses to serve video and advertising to national and regional newspaper websites. The supply chain attack is being used to spread TA569's custom malware, which is typically employed to establish an initial access network for follow-on attacks and ransomware delivery.

Detection might be tricky, the researchers warned: "TA569 historically removed and reinstated these malicious JS injects on a rotating basis," according to one of the tweets. "Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive."

More than 250 regional and national newspaper sites have accessed the malicious JavaScript, with impacted media organizations serving cities such as Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington, DC, according to Proofpoint. However, only the impacted media content company knows the full range of the attack and its impact on affiliate sites, the researchers said.

Related:Ransomware Security for IT Pros: 2022 Report

The tweets cited Proofpoint threat detection analyst Dusty Miller, senior security researcher Kyle Eaton, and senior threat researcher Andrew Northern for the discovery and investigation of the attack.

FakeUpdates is an initial access malware and attack framework in use since at least 2020 (but potentially earlier), that in the past has used drive-by downloads masquerading as software updates to propagate. It previously has been linked to activity by the suspected Russian cybercrime group Evil Corp, which has been formally sanctioned by the US government.

Continue Reading This Article on Dark Reading

Read more about:

Dark Reading

About the Authors

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like