Fireye.com posted the following on September 14, 2013:
There’s never a dull day at FireEye — even on the weekends. At approximately 7:29 AM PDT today, we were notified by several security researchers that a fireeye[.]com/careers HR link was inadvertently serving up a drive-by download exploit. Our internal security, IT operations team, and third-party partners quickly researched and discovered that the malicious code was not hosted directly on any FireEye web infrastructure, but rather, it was hosted on a third-party advertiser (aka “malvertisement”) that was linked via one of our third-party web services. The team then responded and immediately removed links to the malicious code in conjunction with our partners in order to protect our website users. More information on this third-party compromise (of video.js) can be found at hxxps://twitter.com/heff.
Technical Details
The full redirect looked like this:
hxxp://www[.]fireeye[.]com/careers/
(redirect to) -> hxxp://xxx[.]xxxxxxxx[.]com/career/
CareerHome.action?clientId=8aa00506326e915601326f65b82e1fcb
(calls) -> hxxp://vjs[.]zencdn[.]net/c/video.js (VULNERABLE JAVASCRIPT)
(calls) -> hxxp://cdn[.]adsbarscipt[.]com/links/jump/ (MALVERTISEMENT)
(calls) -> hxxp://209[.]239[.]127[.]185/591918d6c2e8ce3f53ed8b93fb0735cd
/face-book.php (EXPLOIT URL)
(drops) -> MD5: 01771c3500a5b1543f4fb43945337c7d
(Update_flash_player.exe)
So what was this, anyway?
It turns out, this attack was not targeted and it was not a watering hole attack. Instead, this campaign appears to be a recent wave of the Darkleech malware campaign, where third-party Horde/IMP Plesk Webmail servers were vulnerable to attack and used to serve up Java exploits that ultimately drop yet another ransomware named Reveton (similar to Urausy) – yet other AV engines report it as a Zeus Bot (Zbot) variant.
Do FireEye products detect this attack?
Yes, the initial infection vector, payload, and corresponding Reveton callbacks were fully detected across all FireEye products prior to this incident being reported to us. In fact, this particular Reveton sample has been reported by approximately 49 of our worldwide customers, so far. Further intelligence about this threat is listed below:
- DTI Statistics for MD5: 01771c3500a5b1543f4fb43945337c7d
- MD5 first seen by our customers: 2013-09-14 07:12:40 UTC
- Number of unique worldwide FireEye Web MPS detections: 188+
- Number of unique FireEye Web MPS customers reported/alerted on this sample: 49+
- Number of industries affected: 12+
Attack victims by business sector : 56% education, 14% high-tech, 7% entertainment/media/hospitality, 6% healthcare/pharmaceuticals, 5% energy/utilities/petroleum refining, 4% government, 3% telecom, 2% services
Lastly, FireEye acknowledges and thanks security researchers Inaki Rodriguez and Stephanus J Alex Taidri for bringing this issue to our attention.