jQuery Credential-Stealing Attack Targets Sys Admins and Web Developers
jQuery.com, a JavaScript library website with users that are typically IT system administrators and web developers, was found to contain drive-by download, credential-stealing malware, according to a blog by RiskIQ.com. They also offer a much more in-depth, technical explanation here (PDF).
What does that really mean?
- A malicious script was added to jQuery.com by attackers
- The script added in an invisible iframe that redirected users to a RIG exploit kit (redirector currently hosted in Russia)
- The kit installs credential-stealing malware on user’s machines
The injected malicious rotator script, below; screenshot from RiskIQ.com:
The RIG exploit kit, a PHP-based crimeware browser application, was discovered early this year, with a more technical overview written up by Symantec. To summarize and simplify, here’s how it works:
-
The kit checks to see if a user has a driver file that indicates whether or not they have a certain antivirus software product - if it’s present, the kit doesn’t install itself, in order to avoid detection
-
Then the kit checks for certain installed plugins to exploit, including known vulnerabilities such as:
- Microsoft’s IE (CVE-2013-2551, CVE-2014-0322)
- Silverlight (CVE-2013-0074)
- Adobe Flash (CVE-2014-0497)
- Java (CVE-2013-2465, CVE-2012-0507)
-
If able to exploit, the kit then drops malware - in the past, attackers have used the Zeus and Cryptodefense Trojans. Zeus is used most often; it effectively steals information from the compromised computer, including usernames and passwords
While this would suck if it hit any website, it particularly sucks because the jQuery site is used by sys admins and developers that work within enterprises, as RiskIQ.com acknowledges. There weren’t any changes in the jQuery code libraries, but it’s still worrisome as the users are a very targeted group that certainly have more privileged accounts and access to major company networks. Meaning, if attackers successfully install malware and steal jQuery user passwords, they could do some real damage.
The kit has been used most recently in the JPMorgan Chase phishing attack, which I wrote about in JPMorgan Chase Hack: Four Ways to Steal Your Credentials:
Proofpoint security researchers have analyzed the 150,000 phishing emails that hit JP Morgan Chase customers to find that attackers are rolling out more than one way to exploit stolen credentials.
Dubbed the ‘Smash & Grab’ campaign, Proofpoint has found that the emails not only ask users to submit their credentials, but the spoofed page also redirects users to a RIG exploit kit via a malicious iframe. RIG checks a machine to see if it’s vulnerable, and then installs the banking Trojan Dyre on a user’s machine.
From a strategic perspective, attackers may be able to target a much wider wider swath of industries by hitting IT administrators instead of one individual financial corporation. That just means users, especially privileged users, need to ensure their authentication security is up to snuff.
Naturally, two-factor authentication can provide an additional layer of security for these types of users in particular. Meanwhile, RiskIQ.com recommends that jQuery site users scan systems for malware, check for suspicious activity, reset passwords and re-image any affected systems.