Around 142 million legitimate websites could be serving up ransomware to their unwitting users due to out-of-date software, according to a new study.
The research carried out by IT security firm Heimdal Security found that hackers were using the Neutrino Exploit Kit to inject malicious scripts into outdated webserver software that could potentially reach 400 million users.
According to a blog post by Andra Zaharia at Heimdal Security, the attack is mainly directed at websites running out of date versions of the WordPress content management system or outdated plugins.
She said that out of the one billion websites in the world, 58.7 percent of them run WordPress and over 20 percent of these installations run an outdated version, meaning around 142 million such websites could be vulnerable to ransomware attacks.
“Even websites that run the latest version of WordPress could be vulnerable to this attack if they run outdated plugins and lack in proper security settings,” she said.
She added that the attack is not limited to WordPress websites so the figure could potentially be much more than this.
Zaharia said the exploit worked by injecting a malicious script on the target website that references a halfway house on an attacker's domain. This domain redirects traffic towards the commercial exploit kit Neutrino, which then tries to force feed the victim's system with a Teslacrypt variant, a ransomware Trojan.
“Neutrino will exploit writing condition vulnerabilities in Adobe Flash Player, Internet Explorer and Adobe Reader / Acrobat. All the mentioned vulnerabilities are recent and have a low antivirus detection rate because of the multilayer obfuscation system that Neutrino exploit kit uses,” said Zaharia.
“Website administrators, bloggers and everyone who uses a CMS should once again understand that patching and installing the latest updates is key to ensuring basic cyber-security for any type of website and platform, and that security provisions are not only essential for themselves, but for their readers as well,” added Zaharia.
Chris Boyd, senior malware intelligence analyst at Malwarebytes told SCMagazineUK.com that outdated content management systems provide an easy way for scammers to use websites as launch pads for malware attacks, and too many businesses are unaware of the risk posed by not updating all aspects of WordPress.
“From the CMS to plugins, something tends to slip through the cracks and isn't noticed until it's too late,” he said.
“Additional wrinkles are caused by small silos being responsible for their own little slice of digital real estate and not communicating with others. As a result, WordPress may be up to date but an old, vulnerable plugin may be lying in wait to cause havoc,” he added.
Boyd said a solid procedure needs to be mapped out between IT and those responsible for the day-to-day interactions with the site itself to ensure everything is running as planned. “If your network is compromised by ransomware and you haven't invested in a solid backup plan, there could be severe consequences."
Martin Lee, intelligence manager at Alert Logic told SC that end users need to be aware of the possibility that any website that they visit, no matter how reputable or related to their work, may still serve malware. “Patching combined with running up-to-date antivirus software provides a lot of protection. Placing a web content filter between users and potentially compromised web sites provides an extra layer of security,” he said.
“Essentially, patching remains an issue for the IT industry. If a system isn't patched then it's vulnerable to attackers. The attackers know this and have refined the crime model of exploiting unpatched software in web servers to install exploit kits that exploit unpatched software in visitors.”
Mark James, security specialist at ESET told SC that website CMSs don't update this software for a few reasons.
"Quite often it's one of two reasons, either not knowing there's an update available for the software they are using or just not getting around to it. Checking the installed version numbers against any available updated versions at worst will be a physical check within the application itself or at best an automated check or clickable option within the software itself, either way it must be done on a regular basis,” he said.
He added that patching both applications and operating systems should be run on a weekly basis without fail. “You cannot supply data or services to the public without keeping an eye on the means to offer those services."
“I appreciate we can't protect against all vulnerabilities and exploits 100 percent of the time but there's so many that can be protected just by updating your software. There is no excuse for why it's not being done, it's not rocket science and it should not cost you any money to at least check,” he said.
Steve Nice, Node4's chief technologist, told SC that organisations can protect themselves by having a device which filters internet traffic before it reaches the internal network. “These devices could be called firewalls, proxies, web filters, IDS or UTMs. They must be updated daily, if not hourly, and will be able to detect and block malicious scripts,” Nice said.