An new exploit kit campaign is targeting websites running on out-of-date versions of the Joomla! and WordPress content management system (CMS). Researchers at Sucuri have been tracking the campaign for the past several weeks. They've codenamed it "Realstatistics" because it injects fake analytics code for "realstatistics[.]info" or "realstatistics[.]pro" into the PHP template of every website it infects. Since the end of June, the number of compromised websites has grown every day.
Source: Sucuri Estimates suggest the campaign infected at least 2,000 websites on July 5-6, but the real number of affected websites could be higher. Each compromised website uses a traffic redirection system (TDS) to redirect visitors to content based upon who they are, including their geo-location and operating system. For those users who are deemed of interest, the TDS directs them to the Neutrino exploit kit, which attempts to exploit the browser of the victim using Flash and PDF reader vulnerabilities. If successful, Neutrino pushes CryptXXX ransomware onto the visitor's machine. Originally detected back in April, CryptXXX is a family of crypto-ransomware capable of stealing victims' Bitcoins.
The ransom message for an early version CryptXXX The authors behind the malware have updated CryptXXX several times, first adding a lockscreen and then outfitting it with a credential-stealing module after researchers released several decryption tools for the ransomware. The newest variants of CryptXXX have been spotted in other attack campaigns with Neutrino. Some have also made their authors a considerable sum of money in a short amount of time. A close look at the Realstatistics exploit kit campaign reveals that 60 percent of the affected websites are running out-of-date versions of Joomla! and WordPress. Daniel Cid, CTO and founder of Sucuri, explains attackers behind the campaign are likely abusing that oversight to exploit vulnerabilities affecting extensible components like plugins and extensions:
"When a CMS is out of date, it speaks volumes to the administration / maintenance strategies a website is employing. If a website owner is unable to keep their core up to date, we can confidently say that they are likely not keeping the extensible components up to date. And we know from our previous research that the leading vector in most CMS applications comes from third-party integrations like plugins and extensions."
Site owners who think their websites might be affected by this campaign should use Sucuri's free SiteCheck scanner. They should also make sure they are continuously updating their website and patching any issues that come up.
