Ransomware Crosses Over from WordPress to Joomla

ransomware-joomlaCyber attackers responsible for a WordPress malvertising campaign are looking to expand its reach as reports show threat actors attempting to cross platforms by targeting Joomla-hosted sites. According to security researcher Brad Duncan via the Internet Storm Center, the group behind the Wordpress “admedia” campaign is setting is sights on a new target, as they've been found attacking the open-source content management platform Joomla.

In January 2016, WordPress infections resulting from admedia iframe injections not only led to the installation of backdoors, but also presented malicious domains that led visitors to an exploit kit that contains the TeslaCrypt ransomware. According to Duncan, the campaign has now added the use of the Angler exploit kit to the Nuclear exploit kit it dropped on target sites when it was first observed. Aside from this, the threat actors have also begun using “megaadvertize” in their gateway URLs.

However, the technique remains the same: an infected website gets compromised and starts hosting scripts injected in its legitimate .js files. Such files are necessary to run JavaScript code on website pages, which then direct to admedia gateways. This means that the generated iframes spawn an entryway from the infected website to the exploit kit, which in this case, drops TeslaCrypt ransomware. Ransomware infections continue to be a very effective malware type designed to extort money from unwitting victims, and it shows no signs of slowing down.

While researchers share that the number of infected Joomla-hosted sites is not as large compared to WordPress, website administrators should not take this lightly. Compromising legitimate domains as an attack vector is gaining popularity, given the kind of traffic and trust that they get from unknowing users. Webmasters are advised to regularly patch CMS systems and to stay vigilant on the latest threats that could put their users at risk.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Опубликовано в Cybercrime & Digital Threats, ransomware, Malvertising