Tag Barnakle’s Impact & Volumes

To date, we have observed Tag Barnakle activity first hand on over 360 web properties, but the the breach impacts tens of thousands of sites considering that some of the hacked ad servers have deep RTB integrations with multiple ad exchanges.

RTB or realtime bidding is the specification that governs the flow of the ad tech supply chain through auctions across multiple intermediaries.

If we take a look at the volumes behind just one of the compromised RTB ad servers — we see spikes of up to 1.25MM affected ad impressions in a single day. For context, Tag Barnakle have compromised ~60 ad servers in total.

A one week trend line snapshot of Tag Barnakle activity.

We initially started investigating the attribution of ad serving elements between the Tag Barnakle payloads in early March of 2020. Notable spikes in their activity were observed during the “peak” holiday advertising season of late 2019.

During a retrospective analysis, we have found examples of the attacker in our telemetry dating back to August 2019, showing at least 8 months of consistent malvertising activity that continues today.

IOCs — Barnakle Owned Cloaking Domains

advertwork.com

kutsatsa.com

ads6net.com

netlineads.com

appsadvert.com

publicenred.com

publizitate.com

net4net.net

lunadvert.com

darrydat.com

faasalalauga.com

promoadsense.com

myadvertnet.com

liveadsnetwork.com

metaadsnet.com

ads6net.com

myadvertnet.com

advertwork.com

publicenred.com

lunadvert.com

kutsatsa.com

appsadvert.com

darrydat.com

metaadsnet.com

piclivenet.com

publizitate.com

faasalalauga.com

netlineads.com

promoadsense.com

IOCs —Compromised Revive Adserver Instances

These IOCs present a compilation of our findings over the last few months. Some of the ad servers have since been patched. As of 4/16/2020 — we have notified everyone on the list below of our findings.

10.rallyad-server.net

adx.4strokemedia.com

ads.financialcontent.com

ads.mygc.com.au

ox.autolive.be

ad.mds.lv

ad.rosszlanyok.hu

admanager.adintend.com

admanager.uptodown.com

ads.catmedia.cat

ads.ck101.com

ads.dresden-airport.de

ads.ejz.de

ads.financialcontent.com

ads.latinongroup.com

ads.motorgraph.com

ads.newsbook.com.mt

ads.nitschkeverlag.de

ads.playzo.de

ads.pointermedia.hu

ads.shasha.ps

ads.ungdomar.se

ads.urgente24.com

ads1.knxs.net

ads2.artsopolis.com

ads2.opensubtitles.org

ads5.matichon.co.th

adserv.emh.ch

adserver.darnell.com

adserver.diariodeavisos.com

adserver.diariodosertao.com.br

adserver.lenouvelliste.com

adserver.nearby.cz

adserver.wolterskluwer.pl

adstdg.net

adv.dlh.net

adx.fotoaparat.cz

as2.adserverhd.com

asianmedia.com

gigazine.asia

itomedia.co.za

kingfish.fishing.net.nz

leadz01.isn.nl

miranda.bounced.de

nvpx.adhost.se

openx.mondiale.co.uk

openx.vps48615.mylogin.co

openx2.kytary.cz

pub.macommune.info

r.codio.xyz

rev.contractoruk.com

revive.hpl-adserver.com

revive.thebusinessjournal.com

theleader.info

treehouse.wwoz.org

webwiseforradio.com

wer.schwarzwaelder-bote.de

www.4x4brasil.com.br

www.bioverlag-online.de

www.boersen-zeitung.de

www.diariouno.pe

www.ecofinads.com

www.manga-news.com

www.miciudadreal.es

www.porovname.cz

www3.convergenciadigital.com.br

We did a non-intrusive scrape of the Revive Adserver versions running the hacked instances above and found the following:

Revive Adserver v3.2.5

Revive Adserver v4.0.0

Revive Adserver v4.0.1

Revive Adserver v4.1.1

Revive Adserver v4.1.2

Revive Adserver v4.1.3

Revive Adserver v4.1.4

Revive Adserver v4.2.1

Revive Adserver v5.0.4

Revive Adserver v5.0.5

The current version of Revive is 5.0.5 — but it’s worth noting that some of the more recent versions in the list might be due to software updates after the initial compromise.

Conclusion

Confiant specializes in the detection, prevention, and attribution of malvertising campaigns and ad related threats.

In this post we have done a deep dive into the TTPs of Tag Barnakle — an attacker that we have been neutralizing on behalf of our customers since early August 2019.

We have shown that there are sophisticated threat actors that compromise ad serving infrastructure in order to expose millions of victims to malware. This has been the first disclosure in a series on attackers that hack ad servers as a core tactic of their modus operandi. More reports on attackers with a similar approach to malvertising are coming soon.