Cyber Incident Victim: Maisto International
Date:
Apr 2016
Location:
United States of America
Summary
Maisto's website was compromised to deliver ransomware via the Angler exploit kit, directly hosting malicious files on its homepage. The attack exploited vulnerabilities in outdated applications like Adobe Flash, Java, Silverlight, and Internet Explorer, infecting visitors with CryptXXX ransomware. Researchers noted the site used an outdated Joomla CMS, likely enabling the payload injection. Victims could recover files without payment due to a discovered flaw in the ransomware. This incident underscores risks from trusted sites and highlights the importance of timely security updates, plugin management, and isolated backups.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 29, 2016, Maisto International's official website (Maisto[.]com) was compromised to deliver ransomware via the Angler exploit kit. Malicious files hosted directly on the homepage exploited vulnerabilities in outdated versions of Adobe Flash, Oracle Java, Silverlight, and Internet Explorer. Visitors using unpatched systems were silently infected with CryptXXX ransomware, which encrypted their files and demanded payment for decryption. Researchers from Kaspersky Lab identified a weakness in CryptXXX that enabled victims to recover files without paying the ransom, though this applied only to infections stemming from the Maisto incident. Malwarebytes confirmed the infection andthat attackers leveraged an outdated Joomla content management system (CMS) to inject the malicious payloads into the homepage.
Malwarebytes Senior Security Researcher Jeromeura utilized a tool from Suctothe compromise, confirming the outdated Joomla installation as the likely entry point. The attack mirrored a separate campaign disclosed by Palo Alto Networks targeting Microsoft IIS web servers, which similarly used Angler exploits to distribute ransomware like CryptoWall or TeslaCrypt. The Maistounderscored the broader trend of trusted websites being weaponized for drive-by, including prior incidents where malvertisements on high-traffic sites delivered Angler exploits. No details regarding Maisto's containment actions or victimrates were disclosed in available sources.