This campaign highlights the ever-growing threat of supply-chain attacks. Typically, when browsing a newspaper website, the end user feels as if the site is reputable and secure. Combining this with a fake update alert from SocGholish, many users may trust this alert and fall victim to the threat actor. This form of phishing, while it can be completed at a much smaller scale, is amplified by the undisclosed media company compromise, as it allows the actors to compromise hundreds of different websites at once.
As this campaign is coming from legitimate and reputable sites, detection is more difficult. In the past, recommended detections for SocGholish search for file creations in the format “x.Update.Zip” as well as monitoring common paths that this malware has been seen writing to. However, these could easily be changed by an attacker, so the best strategy would be to ensure that organizations are implementing a defense-in-depth strategy that would detect any post-exploitation activities that may be carried out by actors using SocGholish.
https://www.bleepingcomputer.com/news/security/hundreds-of-us-news-sites-push-malware-in-supply-chain-attack/
