In the subsequent days following the initial discovery of RIG exploit kit on jQuery.com, RiskIQ has been working directly with jQuery Foundation to help them confirm the incident. Today (September 24, 2014) jQuery reported about the incident on Twitter and confirmed that a compromise had taken place. There are also outside reports that a defacement took place, and this claim has been confirmed by several sources. We can see in a screenshot, posted by Reddit user etbusch, that a line from the defacement that was displayed on the API documentation site (api.jquery.com) reads: "I'm looking for a new job, I'm so sorry for this experiment with iframe, no one was injured, all files was permanently deleted."
This seems to indicate that the original attacker posted that, along with his public key, as a last ditch effort. However, there is no hard proof that this individual was the one who originally injected the script tags. Because api.jquery.com is hosted on the same server as jquery.com, these incidents are likely related.
The purpose of going public with the discovery when RiskIQ did was to ensure that the problems were resolved before more harm could be done. One of the main concerns is that the users traversing jQuery.com tend to be individuals with privileged access to vital systems, increasing the urgency to alert these users.
We felt that although jQuery confirmed the incident, it was important to give all jQuery.com users a chance to check their systems. Once again, the following is RiskIQ's recommendation for remediation of an infected system:
- Immediately re-image system
- Reset passwords for user accounts that have been used on the system
- See if any additional suspicious activity has originated from the affected system
RiskIQ was certain of the attack because of the consistency of the information collected by our virtualized user system during its web crawl, as well as our significant analysis into the exploit kits themselves. RiskIQ virtual users mimic customer interaction on a global scale to detect risk to your customers and brand from the Outside The Firewall perspective. During a web crawl on the day of the incident, RiskIQ detected an attempt to exploit our web crawler. Because we save the raw content that we receive from websites that we browse, we were able to definitively determine that it came from jQuery.com. We verified these findings with several Fortune 100 companies that had seen the jquery-cdn.com domain with a referrer of jquery.com in their proxy logs:
Specifically, we saw an injected script tag on the main site that then loaded an iframe, which redirected to the exploit kit. The site that was being used to redirect users to the malware was jquery-cdn[.]com. This domain was stood up the day the attack was injected, and it was hosted in Eastern Europe. It should be clear that the jQuery team does not own this, and this is not their CDN for serving up the library.
The sequence of events can be seen here.
Additionally, the security vendor OpenDNS picked up a spike of traffic during the timeframe we discussed that seems to indicate that they also saw traffic being sent to the redirector.
It's important to note that the type of attack that occurred is extremely difficult to detect and that jQuery Foundation engineers have been working diligently on this issue. They immediately took measures to address the servers in question when we first reached out and were responsible in their disclosure on their blog. jQuery was naturally skeptical as they were unable to detect the malware themselves, but we commend them for taking the responsible approach.
As websites continue to scale and more digital transactions involving the personal information of real individuals occur, the opportunity to exploit these areas will continue to grow. The impact will have serious consequences if not properly addressed.