Revive Adserver is an open-source advertising server that allows companies to manage in-house and third-party advertisements on their websites. According to the advertising security firm Confiant, a group going by “Tag Barnakle” has been injecting malicious ads through vulnerable Revive servers. The attackers, in this case, appear to be using modified versions of advertisements already in use by the publisher, possibly to keep from raising suspicion. These new, malicious ads will then redirect visitors to pages pretending to be an Adobe Flash Player update. If the victim downloads and installs the fake Flash update, malware is installed. The Shlayer Trojan has been observed to be delivered to MacOS systems, while Windows systems have received a variety of different browser extensions, ransomware, and trojan infections.
Analyst Notes
Organizations that choose to use self-hosted alternatives to larger advertising solutions should monitor the server to detect signs of compromise and have a schedule in place to update the server when necessary. Advertisements are everywhere online, making them a very lucrative target. Malicious advertisements can also harm a site’s reputation, potentially landing it in block lists or browser warning lists, such as Google’s Safe Browsing. Malicious redirects happen to everyone at some point or another. If a site suddenly redirects and loads a Flash Player update, a survey, an animated message that says “Congratulations on being the 1,000,000th visitor!” or anything else, don’t click the links or fill out any information. The best thing to do would be to either manually browse back to the site or just close that tab.
Sources: https://www.bleepingcomputer.com/news/security/revive-ad-servers-being-hacked-to-distribute-malicious-ads/
https://blog.confiant.com/tag-barnakle-the-malvertiser-that-hacks-revive-ad-servers-redirects-victims-to-malware-50cdc57435b1
