System admins targeted in jQuery hack

Users of the JQuery website development tool - who are mainly 'privileged' users like system admins and developers - are being warned they could have been served with the RIG credentials-stealing malware in a hack that was launched more than a week ago.

System admins targeted in jQuery hack
System admins targeted in jQuery hack

Despite being alerted to the drive-by attack on the day it happened, the 18 September, jQuery's initial doubts as to whether its website had been compromised meant it only confirmed it on 24 September.

As a result, any privileged users visiting the site last Thursday could have been infected and their organisational systems compromised for the past several days.

The hack was spotted by security firm RiskIQ, which highlighted the threat because the jQuery toolkit is used by 30 percent of all internet websites, including 70 percent of the world's top 10,000 sites.

RiskIQ said: “Discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users. jQuery users are generally IT systems administrators and web developers, including a large contingent who work within enterprises.

“Typically, these individuals have privileged access to web properties, back-end systems and other critical infrastructure.

“Planting malware capable of stealing credentials on devices owned by privileged accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.”

The jQuery attack involved hackers planting a malicious script on its site that redirected visitors to a server hosted in Russia, which then infected them with the RIG malware.

RiskIQ says RIG typically drops banking Trojans and other information-stealing malware. The company adds that it alerted jQuery on 18 September, but the organisation's initial checks were unable to confirm the attack.

RiskIQ eventually went public on the hack on 23 September, saying: “After verifying that the site was indeed redirecting users to a malware dropper, we immediately contacted jQuery.com to alert them to the attack. While they weren't able to determine the root cause of the attack, the site's administrators were addressing the issue.

"At the time of writing, jquery-cdn[.]com was still up and redirecting users to RIG exploit kit.”

On the same day, jQuery board member Ralph Whitbeck still questioned “Was jquery.com compromised?”, saying: “Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise.”

But the following day, 24 September, the company tweeted to admit RiskIQ were right all along, saying: “We have detected a new compromise of http://jquery.com and are taking action to mitigate the attack. Updates to follow.”

Both RiskIQ and jQuery say that the jQuery toolkit library itself has not been compromised.

RiskIQ advises any systems admins and developers who suspect they have been affected by the campaign to “immediately re-image the system, re-set passwords for user accounts that have been used on the system and see if any suspicious activity has originated from the offending system.”

In a further twist to the tale, jQuery said that in a separate incident, its website was defaced on 24 September, though no malware was planted. Whitbeck said: “We took the site down as soon as we realised there was a compromise and cleaned the infected files. We are taking steps to re-secure our servers, upgrade dependencies, and address vulnerabilities.”

Meanwhile, in a follow-up blog post on 24 September, RiskIQ's James Pleger offered some mitigation for jQuery's response to the malware attack.

Page 1 of 2