Cyber Incident Victim: The Jerusalem Post
Date:
Sep 2014
Location:
Israel
Summary
The Jerusalem Post and another major newspaper were compromised via a malvertising campaign redirecting users through malicious ads to Nuclear and Fiesta exploit kits. The attack chain leveraged Flash, PDF, and Internet Explorer vulnerabilities to deliver the Zemot Trojan, which communicated with command-and-control servers including warzine.su and wildkit.su. Some malicious domains impersonated legitimate services like Google Ad services and Amazon Web Services to facilitate the exploitation process.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2014, a malvertising campaign targeted The Times of Israel and The Jerusalem Post, two prominent online news platforms with significant international readership. The attack originated through malicious advertisements displayed on the newspapers' websites, initiating a complex redirection chain involving multiple domains and services. The initial malicious ad leveraged Google's advertising infrastructure, including googletagservices.com and pubads.g.doubleclick.net, to disguise its activity. Users were subsequently redirected through zedo.com, static.the-button.com, and a deceptive domain mimicking Amazon Web Services (amazon.wiab-service.se). The final stages of the attack utilized oppieposmedism.uni.me to deliver exploit materials, including Flash files (SWF), PDF documents, and HTML pages designed to trigger vulnerabilities. The Nuclear Exploit Kit executed this exploitation chain, targeting Flash, PDF readers, and Internet Explorer vulnerabilities to deploy malware. Analysis revealed possible simultaneous involvement of the Fiesta Exploit Kit based on specific URL patterns observed in the redirection sequence. The final payload was identified as the Zemot Trojan (detected as Trojan.Agent.BPEN), which established communication with command-and-control servers at warzine.su and wildkit.su, while also attempting to contact pubads.g.doubleclick.net and domainsfullkolls.biz for additional malicious purposes.
Malwarebytes Anti-Exploit successfully blocked the exploitation attempts during detection, while Malwarebytes Anti-Malware identified the Zemot payload. The attack's infrastructure employed deliberate obfuscation techniques, including domain names resembling legitimate services and multiple redirection layers. The Times of Israel's website served as the initial infection vector, with malicious content embedded in specific article pages such as their Lady Gaga coverage. The Jerusalem Post was confirmed as an additional victim in a subsequent update to the investigation. Researchers notified both newspaper organizations about the compromise, though the prompt resolution timeline remains unspecified in available documentation. The incident exposed visitors to potential system compromise through drive-by download tactics, leveraging the newspapers' trusted reputations to bypass user caution. No specific visitor impact statistics or organizational response actions beyond initial notification were detailed in the source material.