System admins targeted in jQuery hack

News by Tim Ring

Users of the JQuery website development tool - who are mainly 'privileged' users like system admins and developers - are being warned they could have been served with the RIG credentials-stealing malware in a hack that was launched more than a week ago.

Despite being alerted to the drive-by attack on the day it happened, the 18 September, jQuery's initial doubts as to whether its website had been compromised meant it only confirmed it on 24 September.

As a result, any privileged users visiting the site last Thursday could have been infected and their organisational systems compromised for the past several days.

The hack was spotted by security firm RiskIQ, which highlighted the threat because the jQuery toolkit is used by 30 percent of all internet websites, including 70 percent of the world's top 10,000 sites.

RiskIQ said: “Discovering information-stealing malware on is particularly disconcerting because of the demographic of jQuery users. jQuery users are generally IT systems administrators and web developers, including a large contingent who work within enterprises.

“Typically, these individuals have privileged access to web properties, back-end systems and other critical infrastructure.

“Planting malware capable of stealing credentials on devices owned by privileged accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.”

The jQuery attack involved hackers planting a malicious script on its site that redirected visitors to a server hosted in Russia, which then infected them with the RIG malware.

RiskIQ says RIG typically drops banking Trojans and other information-stealing malware. The company adds that it alerted jQuery on 18 September, but the organisation's initial checks were unable to confirm the attack.

RiskIQ eventually went public on the hack on 23 September, saying: “After verifying that the site was indeed redirecting users to a malware dropper, we immediately contacted to alert them to the attack. While they weren't able to determine the root cause of the attack, the site's administrators were addressing the issue.

"At the time of writing, jquery-cdn[.]com was still up and redirecting users to RIG exploit kit.”

On the same day, jQuery board member Ralph Whitbeck still questioned “Was compromised?”, saying: “Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise.”

But the following day, 24 September, the company tweeted to admit RiskIQ were right all along, saying: “We have detected a new compromise of and are taking action to mitigate the attack. Updates to follow.”

Both RiskIQ and jQuery say that the jQuery toolkit library itself has not been compromised.

RiskIQ advises any systems admins and developers who suspect they have been affected by the campaign to “immediately re-image the system, re-set passwords for user accounts that have been used on the system and see if any suspicious activity has originated from the offending system.”

In a further twist to the tale, jQuery said that in a separate incident, its website was defaced on 24 September, though no malware was planted. Whitbeck said: “We took the site down as soon as we realised there was a compromise and cleaned the infected files. We are taking steps to re-secure our servers, upgrade dependencies, and address vulnerabilities.”

Meanwhile, in a follow-up blog post on 24 September, RiskIQ's James Pleger offered some mitigation for jQuery's response to the malware attack.

He said: “It's important to note that the type of attack that occurred is extremely difficult to detect and that jQuery Foundation engineers have been working diligently on this issue. They immediately took measures to address the servers in question when we first reached out and were responsible in their disclosure on their blog.

“jQuery was naturally sceptical as they were unable to detect the malware themselves, but we commend them for taking the responsible approach.”

Commenting on the attack, security expert Rowland Johnson, CEO of Nettitude, told by email: “jQuery is a big target for attackers. Its JavaScript libraries act like ‘glue' enabling many of the functions that users have come to rely on, on the internet today.

“It looks like jQuery has been attacked twice within one week. Not great news for the jQuery team as it looks like it has multiple application vulnerabilities that are exploitable by attackers.

“The latest attack doesn't look like it has compromised credentials, however it is still early days and I suspect jQuery is still very much in the response phase.”

Scott MacKenzie, CISO with cyber security solutions provider Logical Step, told SC in an email: “The site defacement of causes reputational damage for jQuery, specifically to its user base which consists of tech-savvy individuals. The defacement appears to be a distinctly different attack to the website set-up utilising the RIG exploit pack.”

MacKenzie said that RIG typically downloads malware such as the Zeus banking Trojan or CryptoDefense ransomware.

RiskIQ could not confirm the number of users infected and jQuery have not published any figures. But Pleger said the hack highlights the danger of online attacks taking place outside corporate firewalls.

He blogged: “This incident brings to light an important technological challenge facing modern information security that is still not well-understood.

“The covert compromise of content sites via compromise of third-party JavaScript/iframe embeds can completely bypass traditional inside-the-firewall controls such as code reviews, web application firewalls and the like. This underscores the importance of an outside-the-firewall monitoring solution.

“As websites continue to scale and more digital transactions involving the personal information of real individuals occur, the opportunity to exploit these areas will continue to grow. The impact will have serious consequences if not properly addressed.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews