Aussie site caught up in CryptXXX ransomware-spreading campaign

By on
Aussie site caught up in CryptXXX ransomware-spreading campaign

Dunlop's site compromised, users redirected to exploit kit.

Attackers are targeting business websites through a vulnerable version of the Revslider slideshow plugin for Wordpress to spread the CryptXXX ransomware.

Security vendor Invincea warned that the SoakSoak botnet, active since 2014, is currently scanning for websites running a vulnerable version of Revslider.

Once a vulnerable installation is found, SoakSoak adds a redirection script to another website that contains the popular Neutrino exploit kit. Neutrino looks for security tools and debuggers on the target system, and if none are found, it drops the CryptXXX ransomware.

CryptXXX appeared in April this year and attacks Microsoft Windows computers. Files scrambled by the latest version of the ransomware cannot yet be decrypted. The ransom is set at 2.4 bitcoin, or A$2154, to obtain a decryptor from the extortionists.

Invincea listed a number of websites it discovered had been compromised, including that for Australian building supplies and adhesives business Dunlop.

Dunlop parent Ardex Australia said it was "currently investigating" the weakness and declined to elaborate.

A vulnerable version of the RevSlider plugin for Wordpress was behind the March 2015 compromise of the New South Wales government GovDC website. In December 2014, over 100,000 sites with the Revslider plugin were compromised in a single day.

Invincea has collated a list of global business sites currently compromised by the SoakSoak ransomware-spreading campaign.

The firm warned that botnets are constantly scanning webservers around the world, looking for vulnerable plugins, themes or outdated content management systems, to exploit for redirections to exploit kits.

It advised admins to monitor their sites, keep them fully patched and to remove any themes and plugins are not in use.

Update: Ardex IT supervisor Jürgen Mertin said the vulnerability was removed within an hour after the company was advised of the vulnerability by iTnews. He said the company had not been notified of the issue by Invincea.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
ardex cryptxxx dunlop invincea malware pat belcher ransomware security

Sponsored Whitepapers

Develop a resiliency strategy that integrates risk analysis & continuity management
Develop a resiliency strategy that integrates risk analysis & continuity management
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
Optimise your operations with APM and AI-Powered insights
Optimise your operations with APM and AI-Powered insights
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Technology skill development: The strategy for building better teams
Technology skill development: The strategy for building better teams

Events

Most Read Articles

Services Australia shifts most Centrelink payments to SAP S/4 HANA

Services Australia shifts most Centrelink payments to SAP S/4 HANA
Service NSW to hire 200 engineers, designers

Service NSW to hire 200 engineers, designers
CBA takes 25 percent stake in two NBN retail service providers

CBA takes 25 percent stake in two NBN retail service providers
Toll Group starts to scale out intelligent automation

Toll Group starts to scale out intelligent automation

Log In

Email:
Password:
  |  Forgot your password?