As many as 250 US news websites have been compromised and they are being used too spread malware on your phones and systems.
The threat actor behind this supply-chain attack has been identified as TA569, according to Proofpoint’s Threat Insight team. “We track this actor as #TA569. TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn’t be considered a false positive,” it tweeted.
Proofpoint further observed that TA569 has inserted malware in the assets of the media company, which is used by multiple news organizations. More than 250 regional/national newspaper sites have been infected by the code. The actual number of impacted hosts is known only by the impacted media company.
It can be known that the impacted media organizations serve: Boston, New York, Chicago, Miami, Washington DC, Cincinnati, Palm Beach, and other national news outlets. Also, according to a report by BleepingComputer, Sherrod DeGrippo, VP of threat research and detection at Proofpoint has informed, “The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States.”
It can be known that Proofpoint has earlier observed that the SocGholish campaigns use fake updates and website redirects to infect users, including, in some cases, ransomware payloads.