Compromised SilkTide Cookie-Consent logo – Part 3

Posted on 2020-05-23 by guenni

[German]The compromised Amazon AWS S3 Buckets, which I addressed in the blog post Warning: Infected Cookie Consent logo delivers Ransomware seems delivering constantly new payloads via compromised files.

Advertising

Within the blog post Warning: Infected Cookie Consent logo delivers Ransomware I had compiled some background information on this topic. But it looks like the abuse of the compromised Amazon AWS S3 bucket has been going on for years and new payloads are being delivered all the time.

Former misuse of the AWS S3 Bucket

After I posted some details on Twitter and on social networking sites, there was feedback from security researchers and other people. The Amazon AWS S3 Bucket has been abused for years. Daniel Ruf pointed out on Facebook that there are three documented cases of abuse in the past that involve malicious files from the Amazon AWS S3 Bucket.

Mobile browser redirection in September 2019

The first case Daniel Ruf pointed out on Facebook used a manipulated script file from the Amazon AWS S3 Bucket. The following tweet refers to a case from September 2019 where a script was compromised.

There, using the back button on a mobile device will redirect the user to a fraudulent website. The details are described in more detail in this Italian article.

Advertising

Cases from July 2017

Another case from July 2017 was briefly documented in this forum post. It also talks about a redirect on mobile devices, which is based on manipulated files of the Cookie Consent Plugin from Silktide. The post describes the situation at that time. The next case from 2017 is discussed in this GitHub post by Phil E. Taylor. The manipulated script files pursued the goal of redirecting users to porn sites.

Attack on Portuguese websites (January 2020)

In the blog post Warning: Infected Cookie Consent logo delivers Ransomware I had already mentioned the hint from Lawrence Abrams that the compromised Amazon AWS S3 Buckets had been an issue in January 2020.

At that time the focus was on Portuguese websites. Lawrence Abrams from Bleeping Computer sent me an earlier link to Virus Total, where a lot of virus scanners on Virus Total recognized a payload as dangerous. But that can change at any time.

Current payloads change daily

Since I wrote the first article a few hours ago, people have been having people check the URL with the logo file. When I called it a few hours ago, only two (Fortinet and Kaspersky) of 80 virus scanners on VirusTotal detected malware. There is a community article about it, where someone discusses this malware.

Suddenly WannaPeace Ransomware

Based on my blog post and the discussion on Twitter, security researcher Kevin Beaumont has posted the following tweet

On May 21, 2020 he received the WannaPeace ransomware as a 'payload' from the compromised Amazon AWS site, disguised as a software update. But the payload was broken, as a check of the .png file with VirusTotal revealed.

What you can do

Administrators in enterprise environments can to block the URL *https[:]//s3-eu-west-1.amazonaws[.]com/assets.cookieconsent.silktide.com/ completely for access from the net. Webmasters of websites, on the other hand, should check if the Cookie Content solution of SilkTide is in use. If so, the code should be removed and switched to another solution.

Addendum: Amazon has closed the offending account and suspended the bucket according to their support team so none of those S3 bucket items are any longer available on the Internet.

Article series
Warning: Infected Cookie Consent logo delivers Ransomware
Compromised SilkTide Cookie-Consent Logo – Part 2
Compromised SilkTide Cookie-Consent Logo – Part 3

Advertising
This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).