Similar campaigns using SocGholish have been seen from other threat actors in the past. For example, the Evil Corp cybercrime gang used SocGholish to infect over 30 U.S. private firms. This attack was also carried out through fake updates on compromised news websites with an end goal of ransomware deployment.
This campaign highlights the ever-growing threat of supply-chain attacks. Typically, when browsing a newspaper website, the end user feels as if the site is reputable and secure. Combining this with a fake update alert from SocGholish, many users may trust this alert and fall victim to the threat actor. This form of phishing, while it can be completed at a much smaller scale, is amplified by the undisclosed media company compromise, as it allows the actors to compromise hundreds of different websites at once.
As this campaign is coming from legitimate and reputable sites, detection is more difficult. In the past, recommended detections for SocGholish search for file creations in the format “x.Update.Zip” as well as monitoring common paths that this malware has been seen writing to. However, these could easily be changed by an attacker, so the best strategy would be to ensure that organizations are implementing a defense-in-depth strategy that would detect any post-exploitation activities that may be carried out by actors using SocGholish.