India Insights with Geetha Nandikotkur

Data Breach , Governance , Incident Response

Is HPCL's Website Under Cerber Ransomware Attack? Research Firm Claims Site Hijacked, But HPCL Awaits CERT-In Review
Is HPCL's Website Under Cerber Ransomware Attack?
Cerber ransomware message. Source: Arctos Threat Research Co.

The website of Mumbai-based Hindustan Petroleum Corp. Ltd has been hijacked by hackers, according to Arctos Threat Research Co. Arctos claims that it discovered that the website of the public sector organization was infected with Cerber ransomware. The site now includes a malicious link that infects the computers of anyone visiting, Arctos contends.

See Also: Defend Against Spear Phishing: Encouraging Developments Gaining Momentum

But HPCL claims that vulnerability assessment and penetration tests so far show no malware infection. And it's awaiting the results of CERT-In's investigation into whether the website, indeed, is infected.

HPCL claims that vulnerability assessment and penetration tests so far show no malware infection. And it's awaiting the results of CERT-In's investigation into whether the website, indeed, is infected. 

Palani Bala, Arctos' CTO, claims that HPCL's site was compromised by a series of attacks by the pseudo-Darkleech campaign, which exposes users to Nemucod malware that, in turn, downloads Cerber ransomware onto their machines.

Darkleech is a long-running campaign that uses exploit kits to deliver malware. First identified in 2012, this campaign has used different kits to distribute various types of malware. Now dubbed "pseudo-Darkleech," this campaign has undergone significant changes since the last time we examined it.

Even though Arctos notified HPCL by email on Dec. 27 of the issues it discovered, the India-owned oil company apparently has not taken action; the website was continuing to serve malware as of Jan. 10, Arctos claims.

Injected iframe in Hindustan Petroleum home page. Source: Arctos Threat Research Co.

When I presented HPCL's IT and security team with information about the malware infection along with the screen shots on Jan. 1, Jayant Gupta, HPCL's security head, told me that the logs would be shared with CERT-In and with vulnerability assessment and penetration test experts to confirm malware presence.

List of hidden url in iframes on various dates. Source: Arctos Threat Research Co.

On Jan. 2, Gupta confirmed that the logs have been shared with CERT-In and his VAPT experts. Then on Jan. 4, Gupta said that the VAPT test results did not discover any malware, but he was still awaiting the CERT-In report.

CERT-In did not respond to ISMG's requests for comment.

This situation merits prompt investigation by CERT-In because thousands of visitors to HPCL's website could potentially fall victim to the malware.

Modus Operandi

Screen shots provided by Arctos of HPCL's website show the site apparently injecting the iframe in the landing page and the injected frame updated every day to serve new malware from different sources.

Highly obfuscated landing page. Source: Arctos Threat Research Co.

The Arctos team says it discovered the malware infection using an automated threat monitoring crawler system that monitors websites for compromise and malicious content.

The executable downloaded logs delivered by exploit kits were analyzed through a behavior analysis engine, which identified the executable file as Cerber ransomware based on behavior classification, Bala says.

Landing page deobfuscated by Arctos Ateles engine. Source: Arctos Threat Research Co.

Bala claims the attackers run automated bots that look for vulnerable sites and then tamper with them by adding additional content that delivers malware to visitors' computers.

The exploit hosted in the compromised website exploits zero-day vulnerabilities in the browsers to download or drop malware binaries - the most common mode malware writers follow. HPCL's public website became a victim to such an attack, distributing Cerber ransomware that encrypts the files in users' computers and demands ransom for decrypting them, according to Arctos.

Experts say hackers using Cerber ransomware usually demand $1,000 (U.S.) in bitcoin from infected users.

Arctos claims its researchers found that the HPCL website contained an additional code redirecting to a link that has RIG exploit added to the home page script.

C.N. Shashidhar, CEO of Bangalore-based SecureIT, says that hackers using Cerber ransomware generally target vulnerable websites with high traffic.

CVE-2016-0189. Source: Arctos Threat Research Co.

He claims the ransomware is embedded in the HPCL website in such a way that any visitor is automatically infected - a technique called "drive-by malware." Cerber ransomware and its encryption components are updated daily on the site, he adds.

First appearing in March 2016, Cerber often contains an audio file with a ransom message. The ransomware largely spreads via spear-phishing campaigns, security experts say.

Taking Advantage of Outdated Technology?

Arctos suspects the HPCL attackers' bot might have exploited vulnerabilities in an old Apache web-server or any additional services/plug-ins running in the server, Bala says.

He recommends that HPCL's webserver infrastructure perimeter be protected around the clock by advanced security monitoring solutions to detect such compromises.

In the meantime, it's time CERT-In made a recommendation to HPCL and others on how to avoid infections.



About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.




Around the Network