What is the issue - Researchers from ThreatLabZ have detected several compromised Content Management Sites (CMS) such as WordPress and Joomla that were serving Shade ransomware, backdoors, redirectors, and a variety of phishing pages.
Why it matters - Attackers are compromising CMS sites and are injecting malicious content.
Worth noting - The core reason for the compromise of Wordpress and Joomla sites could be unpatched vulnerabilities and outdated plugins, themes, and extensions.
Researchers noted that the compromised Wordpress sites are using versions 4.8.9 to 5.1.1 and are most likely to be using outdated CMS themes or server-side software.
The big picture
ThreatLabZ monitored the compromised HTTPS sites and noticed that attackers are leveraging a well-known hidden directory present on the HTTPS site for storing and distributing Shade ransomware and phishing pages.
“The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain,” researchers described.
The technique is very effective because this directory is already present on most HTTPS sites and is hidden.
How attackers distribute the Shade ransomware?
Which phishing pages are propogated?
Researchers detected spoofed phishing pages related to Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, etc hosted in the SSL-validated hidden directories.