The popular Extendoffice website has been found to be delivering the Angler exploit kit to unsuspecting visitors.
Extendoffice sells add-ins to Microsoft Office, and ranks in Alexa's top 5,500 websites in the US, and 10,000 globally, meaning that it likely has more than 1 million visitors per month. Trustwave researchers uncovered the attackers using the site last week, redirecting its visitors to the Angler EK which, upon successful exploitation, dropped the TeslaCrypt ransomware on the victim machine. The site runs on Joomla, which has known vulnerabilities that the perpetrators likely exploited, Trustwave researchers said.
Disturbingly, the site was cleaned, but the EK has once again attached itself to it, renewing its efforts. And here’s a probable reason: The worst thing about this incident is that a quick URL scan on VirusTotal shows that the attack has gone largely unnoticed, with a near-non-existent detection rate. According to VirusTotal, only one URL (Trustwave’s scanning engine) is labeling the website at malicious, leaving many users still exposed to the attack.
“Clearly, the threat of exploit kits is not going away any time soon,” a Trustwave spokesperson said via email. “In fact, it's only becoming more of an issue that can result in huge monetary loss for organizations. According to Trustwave's 2015 Global Security Report, cyber criminals receive a 1,425% return on their investment for exploit kit and ransomware schemes.”
Exploit kits have evolved with alarming speed, heightened stealth and novel shape-shifting abilities, according to the latest Dell Security Report. Last year’s most active kits were Angler, Nuclear, Magnitude and Rig, and the overwhelming number of exploit kit options gave attackers a steady stream of opportunities to target the latest zero-day vulnerabilities, including those appearing in Adobe Flash, Adobe Reader and Microsoft Silverlight.
Mitigation begins with patching, the researchers noted.
“Unfortunately, as end users we have no control over the safety measures taken by websites to secure our visit to them, but by keeping our software up-to-date we can make sure that our attack surface remains minimal,” the report noted. “For enterprises, it is important to have security products in place that are able to deal with these threats and protect corporate users.”
Photo © picture partners