SOC Advisory – Compromised web package responsiveuikit[.]com – 11th July 2024

It has come to our attention that a web package in use by an application designed for the Australian education sector has been compromised.

Stymie[.]com.au (a reporting platform for bullying / self harm) utilises a package responsiveuikit[.]com, which initiates a malicious request to a Russian IP address which has been found to be hosting a script which calls a likely malicious payload (exploit kit). The hash of this script has been observed on multiple assets worldwide many of which have been verified within the last few hours. about.stymie[.]com.au was confirmed as using the package and should be considered compromised as recently as 17:00 AEST today (July 11th). Sites using packages hosted on responsiveuikit[.]com seem to be part of the attack. The site appears to host an exploit kit for unsuspecting users.

What can I do?

Clients ingesting Secure-ISS’s blacklist have blocking applied to the IP which the offending URL currently resolves to. Please note: this IP may change in time rendering the blacklisting ineffective. Pending advice from the Stymie platform, the current advice to SOC clients is to implement URL blocking for about.stymie[.]com.au.

Initial investigations indicate that only the “about” subdomain is currently considered compromised, however this may change as / if the situation evolves further.

Further investigations by the Secure-ISS SOC team have determined the root cause to be an exploit hosted on or within the packages available at responsiveuikit[.]com. We encourage users to look at adding this URL to their blocklists to stop any other attacks that may be unrelated to the initial stymie.com.au vector.

Note: This may have an impact on web pages using this packages, so partners are advised to keep on ear out to feedback; where the block has impacted usability of other unrelated sites.

As always an exploit kit will look to exploit a known vulnerability. Ensure that your vulnerability assessment program is effective, patching is up to date or other mitigating controls are in place to reduce your attack surface.