Attackers use media websites' supply chain to deliver malware

As reported by Proofpoint, a malware campaign has been particularly successful recently, by compromising and injecting malicious javascript code into nearly 300 popular websites targeting users in multiple countries accross the world, including central and eastern Europe.

The malware itself is called SocGholish and is nothing new, being observed in the wild as early as 2018. However, the distribution method is much akin to a supply chain attack: the threat actor has apparently injected a drive-by-download mechanism into a benign javascript file provided by a syndicated content and ad serving company - a file referenced and served by media websites across the world.

The effect is much like a supply chain attack: one single malicious change propagated instantaneously to legitimate websites and millions of unsuspecting visitors.

The good news is the malware itself requires user interaction and lack of security awareness, i.e. usually clicking on a fake browser update page to download and execute the final malware, which is either ransomware or a remote access trojan stealing sensitive data and passwords to other resources.

Nevertheless, that in itself stresses again the need for constant security awareness initiatives among company employees, as the human element and social engineering continues to drive breaches, with 82% of breaches involving either use of stolen credentials and phishing, according to a recent authoritative report.

Also, the malware campaign is again pointing to systemic vulnerabilities within digital supply chains, this time in media companies relying on 3rd parties to deliver content.