A major cybercriminal network involving thousands of infected websites used to distribute malware has been disrupted by an international law enforcement takedown.
The action against the SocGholish malware group formed the latest part of Operation Endgame, an ongoing global police investigation to combat ransomware and cybercrime worldwide.
Announced by the Dutch police on June 18, action was taken to remediate infections of 15,000 websites controlled by SocGholish group and to dismantle the botnet associated with the group.
Notably, the SocGholish botnet was regularly used by Evil Corp, the notorious, Russia-based ransomware and cyber crime group behind a swath of destructive malware attackers worldwide, including against governments, healthcare institutions and enterprises.
SocGholish hacked or used previously leaked credentials to gain access to legitimate WordPress sites. As detailed by Proofpoint, which tracks SocGholish as TA569, these compromised websites were used to push malicious pop-ups to visitors, which told users that they were using out-of-date software which needed updating.
If the user installed the ‘update’ they became infected with malware and roped into the SocGholish botnet, used to deliver malware and ransomware to further victims.
The international law enforcement has taken action against SocGholish has seen the takedown of 106 servers and domains associated with the malware, as well as remediating infections of the compromised websites.
‘With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware,” said Maikel Rollman of the Netherlands National High Tech Crime Unit (NHCTU).
“It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish,” he added.
Read more: Why Ransomware Remains One of Cybersecurity’s Most Persistent and Costly Threats
The coordinated action took place over a week was taken jointly by specialist agents and officers at the NHCTU, the Royal Canadian Mounted Police (RCMP), the German Federal Criminal Police Office (BKA) and the US Federal Bureau of Investigation (FBI). The action also received support from Europol, Eurojust and cybersecurity industry partners.
“SocGholish is not a niche threat. Their activities reach deep into public sector and commercial environments, paving the way for other cybercriminals to gain access to networks”, said Dr. Renée Burton, vice president of Infoblox Threat Intel, one of the industry partners which supporting the action.
The owners of the compromised websites have been informed about what happened and urged to change their login credentials, as well as update the sites with the necessary security patches..
The owners of WordPress sites have also been issued with the following advice:
- Change their login credentials
- Enable multi‑factor authentication
- Delete any unknown additional WordPress accounts
- Keep their WordPress site up‑to‑date in the future
