[. #2] Russian Government portal for 3 years brokered in attacks with malicious ads

Incredible? Not to the end. A similar incident we've seen in our country. It lasted from October 2016 year until February of the current year. The website knf.gov.pl was among the infected sites belonging to the 104 organizations in 31 countries. Now, thanks to the Russian security software providers, company Doctor Web, we learnthat similar attacks could occur from 2015 year – hackers became the Russian Government portal gosuslugi.ru, consolidating information m.in. receipt of passport, social assistance, pensions, as well as taxes and fees.

This portal, according to the statistics of the site Alexa.com, is located on the 27. among the most visited websites in Russia. Taking into account the population of our eastern neighbour, the amount of infection or malicious redirects, which took place from the year 2015, until today, can be very large. Representative of the company Yandex Russian search engine, does not preclude attempts to infect the moderators and administrators of the Government Web site. In turn, the representative of the Kaspersky Lab, Yury Namestnikov, claims that the infected page nakręcała click on the ads. Malicious AdWare. Script. Generic Script Trojan and clearly suggests that the objective, Iframer. criminals was the infection of a computer virus that generates clicks.

At the moment we do not know the exact technical details. Pretty, it is likely that Russian portal was used not only to malicious redirects to domains that are registered in the Netherlands, but also to attacks, drive-by download. Whereas, however, the current "cyberprzestępcze trends", we could indicate what tools hackers use to achieve their objectives (infecting computers):

  • Rig Exploit Kit is still used by cyber criminals. Has at least two variants: RIG-E and RIG, V. After the fall of the Angler Exploit Kit last year has become the most widely used tool to infect computers. Use the infekowano Polish Internet users, who managed at that time to visit more than a thousand different Polish sites. According to the authors of those reports, Exatel, was one of the biggest attacks against Internet users in Poland.
  • BEPs, also known as Sundown Exploit Kit. His greatest popularity among cyber criminals has reached in the year 2016 and in earlier years. Use the same technique known from other exploits, which are likely to have been stolen and copied "1:1". Currently, the Sundown Exploit Kit is inactive due to a leak of the code.
  • Magnitude Exploit Kit is a significant set of exploits in the world of cyber criminals. Safety teams gave himself from the attacks in which malicious ads. Ad networks are often not in a position to verify all the ads that are displayed through the large portals, such as. java.com, youtube.com. Attacks involving Magnitude EK are concentrated mainly on countries in Asia.

Injected code

Doctor Web informs about malicious redirection to zliczającej clicks, suggesting cyberprzestępczą campaign with advertising (malvertising), as well as earlier attacks drive-by download. In the latter case, such is called the "landing page". Typically, it automates the infection, by matching the exploit to the operating system, browser and plug-ins that are running.

Russian producer of anti-virus software detected an iframe in the page code, which most likely was injected through the dziurawą web-application or script.

In an official statement, the Russian Ministry of Communications did not find anything interesting.

The vulnerability has been patched. There are no negative consequences for users.

To the key security issues differently approached the very source of the spread of infection. Doctor Web reports that provide information about the incident to the public is the result of a lack of commitment of the administration of the portal in improving safety.

The key findings of this lesson

Cases of infection of one of the servers, the financial supervision Commission and the Russian Portal show that to ensure the safety of public websites universally regarded arousing trust should be a priority not subject to any discussion. As usual, the worst thing is that once again knocked helpless, or Internet users, who rarely realize how their computers can become infected.

What administrators can do websites? First of all update sites, you take care and take care of safety also from the files on the server. In other words, the scanner safety verification files that make up the entire Web page, it is a good idea and how the most on the spot. I wonder how much we have in Poland similar malicious websites that have been long forgotten and not updated?

Are you worried that Your security program does not protect you from similar attacks? Check out the test of the AVLab, in which they were being attacked computers in a similar way. May is the best moment to think about your safety and in the end to install or change the current security software?

[Updated #2, 14.07.2017]

Asked for comment from the Kaspersky Lab's representatives from Russia.

This case concerned the code injection and touched many other pages with newly called Andrey mayevsky segment of the Internet. Injected code is the script adware, which directs users to a different page the purpose of traffic generation. The script should be organised to the content network, which sells traffic. The campaign itself adware is quite old-the first samples of this script were detected already 2015 r. The infection most likely Portal occurred through infected browser extensions on computers that administrators or people traffic editing car website gosulugi.ru, which means that these machines have to be infected with harmful .



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.