An attack on a popular open source video player resulted in nearly 200 detected infections, including successfully infiltrating the careers website at security firm FireEye this weekend, according to security researchers there who investigated the incident.
FireEye said nearly 50 visitors to its careers webpage detected the attack, which was served up by a third-party advertiser. The attackers used the Darkleech attack toolkit to serve up the Reveton ransomware, a financially motivated campaign designed to steal account credentials and other data, said Darien Kindlund, manager of threat intelligence at FireEye.
"Our internal security, IT operations team, and third-party partners quickly researched and discovered that the malicious code was not hosted directly on any FireEye web infrastructure, but rather, it was hosted on a third-party advertiser (aka “malvertisement”) that was linked via one of our third-party web services," Kindlund wrote in an analysis of the attack. "The team then responded and immediately removed links to the malicious code in conjunction with our partners in order to protect our website users."
Darkleech has helped cybercriminals successfully infect tens of thousands of websites. It was detected in April targeting outdated Apache implementations, turning them into a broader botnet capable of spreading malware or carrying out Denial-of-Service attacks.
The Darkleech attacks take advantage of poorly maintained sites that don't apply updates to the underlying content management system and other components used for website functionality, according to Cisco Systems, which issued an alert about Darkleech earlier this year.
The attack was detected by FireEye on Saturday. In addition to Reveton, other antivirus engines reported the FireEye infection to be a variant of Zeus being served up to users, indicating that the attack was a broad campaign designed to infect as many users as possible, Kindlund said. The malware was detected on systems located in more than a dozen countries
Steve Heffernan, the author of the Video.JS HTML5 video player, said certain versions of the player served from its content delivery network, were modified by an attacker to serve up the malware. The servers were calling up the modified version for a three-hour period on Saturday, Heffernan said.
"We quickly reverted to safe versions of the video.js file, and took steps to ensure that the issue could not reoccur," Heffernan wrote in an announcement explaining what happened. "Any browsers that loaded the affected files during the compromised period may have prompted users to install malicious software on their computers."
PUBLISHED SEPT. 16, 2013