Drive-by-download attack preparations using our label 'Greenbone'


#1

We like to shed some light on something we have noticed to happen more frequently in the recent months:

Websites, all of them completely unrelated to Greenbone and our partners, pretend to have information about our products, our services, and our feeds (GCF and GSF). A recent example is:
--redacted--.com/**vpjdgs6/m4eilbb.php?hccmvqfrn**=greenbone-cert-feed
which we have found in our regular searches. The full URL is intentionally not cited here.

As can be seen from the URL, it is some weird subfolder in the page structure (highlighted by **....**). We found that for almost all of those websites discovered, the same structure is in place, as you can see here:

--redacted--.com/**rgpah3a/urowmui.php?vcmrenier**=greenbone-cert-feed
--redacted--.net/**agvi5t9/2cmri4o.php?vcmrenier**=greenbone-cert-feed
--redacted--.com/**wrvtggy/45hslp4.php?ribjrpiik**=openvas-greenbone
--redacted--.com/**6lqemwp/vxwhc6r.php?ribjrpiik**=greenbone-nvt-sync-command-not-found
--redacted--.fr/**k4bplov/htspbiu.php?ribjrpiik**=greenbone-community-edition-download

It is likely that the CMS used to run/maintain those websites has been compromised and the pages have been added to the website (automatically) by an adversary. The ultimate goal is to get a user on that page and ask for additional information or try a ‘drive-by-attack’ or similar malicious actions.

Likely, and over time, those servers will appear in abuse lists or Threat Intelligence feeds as compromised. Given that attackers are quick in adoption, there is always a chance for unknown ones.

This is a common fraud that happens not just for Greenbone but for many other popular keywords.

We recommend to pay close attention to the links you receive or find during your web searches.