Global Malvertising Campaign Blamed For UCL Ransomware Attack
Researchers at Proofpoint say the malvertising in question has popped up around the world on several high-profile websites
Security researchers at Proofpoint believe the ransomware attack which caused disruption at University College London (UCL) last week could have been spread by a malvertising campaign.
Proofpoint researcher Kafeine has pointed the finger at the AdGholas hacking group for the attack on UCL and a number of other UK universities, carried out via malware-infused online ads that infected the PC of any user who visited a compromised website.
The malvertising apparently appeared on several high-profile websites, in a move away from the group’s traditional focus on banking Trojans.
Malicious ads
Through the discovery of the command and control (C&C) IP address, Proofpoint’s research found that hackers used the Astrum exploit kit to deliver the Mole ransomware.
This host had previously been used in malvertising campaigns in several other countries – including Australia, Canada, Italy and Switzerland – before also appearing in Japan, Taiwan, and the United States.
“The level of complexity of this particular infection chain suggests a higher-than-average level of sophistication on the part of the threat actors,” said Kevin Epstein, VP of Proofpoint’s Threat Operations Center.
“If the malicious payload in this case hadn’t been ransomware, which is obviously much more visible to users than the banking Trojans these threat actors normally distribute, the victims might never have known they were infected.
“It isn’t necessary to click on an ad in a modern malvertising attack; a user on a targeted, vulnerable PC only needs to visit a page displaying a malicious ad to be infected with the payload of the threat actor’s choice.”
UCL is not the only educational institute to have been targeted by some kind of cyber attack, as cyber security within the sector continues to grow in prominence.
Another high-profile incident occurred in March when a US college was hit by a 54-hour long attack by a variation of the Mirai botnet, which famously took down some of the world’s biggest sites in 2016.