James Pleger, Director of Research at Risk management software company RiskIQ, reported yesterday that the attack against jQuery.com web servers launched for a short period of time on the afternoon of September 18th.
So, the users who visited the website on September 18th may have infected their system with data-stealing malware by redirecting users to the website hosting RIG. Pleger urged those who visited the site during the alleged attack to re-image their systems, reset passwords for user accounts that have been used on the systems, and also look for any suspicious activity if originated from the offending system or not.
"However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users [who are] generally IT systems administrators and web developers, including a large contingent who work within enterprises," Pleger wrote.
The RIG exploit kit is often used to deliver banking Trojans and other information-stealing malware. The researcher said he detected malware on compromised machines that steals credentials and other data.
"Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach."
RiskIQ researchers have immediately notified the jQuery Foundation about the issue. But in response, jQuery Foundation said that their internal investigation into the servers and logs didn't find the RIG exploit kit or evidence that there was a compromise.
The Rig Exploit Kit was first spotted in April this year, which checks for an un-patched version of Flash, Internet Explorer, Java or the Silverlight multimedia program on the infected users and if found, the system is instantly exploited by the bad actors. It was also used to distribute Cryptowall Ransomware back in June.
In an official blog post, Ralph Whitbeck from jQuery.com commented about RiskIQ findings:
"Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise."
But Yes, "Currently the only potential system compromised is the web software or server that runs jquery.com." and "At no time have the hosted jQuery libraries been compromised.""Even though we don’t have immediate evidence of compromise, we have taken the proper precautions to ensure our servers are secure and clean." he added.