"More Than 250 Newspaper Sites Across the US Access Malicious JavaScript in Malware Supply Chain Attack"
Due to the compromised infrastructure of an unnamed media firm, a large number of US news sites have been infected with the SocGholish JavaScript malware framework known as FakeUpdates. According to security experts at enterprise security firm Proofpoint, the malware has infected more than 250 US regional and national newspaper sites in the US. The threat actor behind the supply chain attacks, tracked as TA569 by Proofpoint, injected malicious code into a benign JavaScript file, which was then loaded by the news outlets' websites. According to Threat Insight, the media company that served as the host for this malicious code served content to its partners via JavaScript. The affected media organizations served Boston, New York, Chicago, Miami, Washington DC, Cincinnati, and Palm Beach. Sherrod DeGrippo, VP of threat research and detection at Proofpoint, says the affected media company is a firm that provides video and advertising content to major news outlets. TA569 has historically rotated between removing and reinstating these malicious JavaScript injects. As a result, the presence of the payload and malicious content varies from hour to hour and should not be regarded as a false positive. SocGholish, according to Red Canary, is an initial access threat that uses drive-by downloads disguised as software updates. It gains execution through social engineering, tricking unsuspecting users into running a malicious JavaScript payload stored within a downloaded ZIP file. Visitors to compromised websites may become infected with malware payloads disguised as fake browser updates delivered as ZIP archives. This article continues to discuss the installation of malware on sites belonging to more than 250 US news outlets.