Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Over the last several days, RiskIQ has observed numerous incidents involving visits to sites running on the Drupal content management system. Several installations of Drupal 7 have been observed serving an injected script tag that directs site users to sites hosting the RIG exploit kit.
Observed instances of RIG incidents tied to campaign
The same RIG infrastructure (identified by second level DNS domains) is also receiving traffic from sites running WordPress, with similar compromise patterns.
On October 15, the Drupal project published advisory SA-CORE-2014-005 (and accompanying FAQ) containing information about a SQL injection vulnerability in the database abstraction API layer, which was itself vulnerable to unauthenticated SQL injection by unauthenticated remote users. SQL injection flaws can pave the way for privilege escalation, arbitrary code execution, account takeover and, in some cases, complete compromise of an application or server. SQL injection is a common technique used to insert malicious script tags into website content to drive traffic to blackhat infrastructure.
On October 29, the Drupal project published a public service announcement notifying users of confirmed reports of mass SQL injection attacks leveraging the disclosed vulnerability. Drupal rates the impact of the vulnerability as 25/25; it further states:
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
The following Drupal-based websites were observed driving traffic to the exploit kit infrastructure. Incident links are provided to view additional information about observed activity. The method of redirection for the drive-by download is simple compared to many other active malware distribution campaigns; the iframe is injected into the site content directly, rendering at CMS page load time. The iframe points directly to the exploit kit landing page; no intermediary redirection/rotation (TDS) services are utilized to add misdirection, etc.
Popular Science (www.popsci.com) Incident link
Upon hitting a page returning a 404, the iframe is returned by the 404 handler.
Iframe redirecting Popular Science online visitors to RIG exploit kit
Homestead Technologies (www.homestead.com)
Web hosting firm Homestead also impacted:
iframe redirecting Homestead visitors to RIG exploit kit
Typepad (www.typepad.com) Incident link
iframe redirecting Typepad visitors to RIG exploit kit
Spin Magazine (www.spin.com) Incident link
iframe redirecting SPIN visitors to RIG exploit kit
Advertise.com (www.advertise.com) Incident link
iframe redirecting Advertise.com visitors to RIG exploit kit
Affected Drupal installations may be impacted by multiple attackers and leveraged for a variety of purposes. The activity RiskIQ has observed is driving traffic from affected sites to installations of RIG exploit kit, which serves a variety of browser and plugin exploits to visitors in an attempt to install malware on their systems. The RIG installations we’ve observed have been hosted on a number of rogue A records in compromised DNS zones pointing to the following host:
126.96.36.199 AS49505 | RU | ripencc | 2009-06-18 | SELECTEL OOO _Network of data-centers _Selectel_
AS49505 Selectel is a large Russian datacenter operator, and a common source of Eastern European cybercrime activity. Domain names found resolving to this IP address include:
We offer the following advice regarding the observed activity:
Back to RiskIQ Blog
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK