Owners of websites built using the jQuery library are being warned of an attack against the toolkit’s website which is redirecting visitors to a third-party site hosting the RIG exploit kit.
JQuery is a free and open source JavaScript library used for a number of things, including building AJAX applications and other dynamic content. According to SimilarTech.com, jQuery is found in 61 percent of the top 10,000 websites, and more than 65 million sites overall.
Risk management software company RiskIQ early this morning reported the attack against jQuery.com and said the redirect page in question, jquery-cdn[.]com was still live and redirecting visitors. RiskIQ said it has notified jQuery.com of the attack. James Pleger, director of research, said that victims were compromised in a drive-by download attack at the jQuery website, which was redirecting browsers to the site hosting RIG.
RIG was discovered earlier this year and typical of other exploit kits, it targets vulnerabilities in popular applications such as Java, Adobe Flash and Microsoft’s Internet Explorer and Silverlight programs.
Attackers found a weakness in the jQuery website and injected malicious JavaScript that redirects victims. RiskIQ said it detected malware on compromised machines that steals credentials and other data.
“It’s important to note that we did not observe any changes within the jQuery library itself, which was likely unaffected by this compromise. However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users,” Pleger said. “JQuery users are generally IT systems administrators and web developers, including a large contingent who work within enterprises.”
By dropping keyloggers and other malware that scoops up credentials, RiskIQ hypothesizes that the attackers are after privileged users inside the enterprise.
“Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach,” Pleger said.
Cisco researchers shed some additional light into RIG in June when they published a report that some versions of RIG were spreading Cryptowall, a successor/copycat of the Cryptolocker ransomware. RIG was first spotted in April and peaked in May. Early versions use malvertising networks to infect victims. RIG was also implicated in a compromise of popular sites such as askmen.com. RiskIQ said different iterations have also dropped banking Trojans and other types of information stealing malware.
“Planting malware on open source websites is not a new technique,” Pleger said. “These websites are high value targets due to the type of users that frequent them. Several other high profile, open source websites have had this issue in the past.”
RiskIQ said that the malicious re-director it found on jQuery.com was hosted in Russia and domain is less than a week old.