Attacks/Breaches
5/1/2013
11:24 AM
50%
50%

U.S. Labor Dept. Website Hacked, Serves Malware

Attack bears strong similarities to previous campaigns executed by Chinese APT attack group "DeepPanda," reports security expert.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The U.S. Department of Labor website was hacked Tuesday evening to launch drive-by attacks at visitors' Web browsers.

That warning was sounded Wednesday morning by Jaime Blasco, director of AlientVault Labs, as well as Anup Ghosh, CEO of Invincea, both of whom reported that the Department of Labor servers had been infected by malicious code.

A Department of Labor spokeswoman, reached by phone, declined to comment on the attack reports. But Blasco said via email: "Several people within the U.S. government have been contacted so they should be working on it right now. We published this information because the exploit is still there and we are tying to warn people not to visit the website."

[ Redact throws down a security gauntlet. Read Can You Hack This Smartphone App For £10,000? ]

By late Wednesday morning, the malware campaign appeared to have been stopped. "The site has since been fixed and law enforcement is investigating," said Invincea's Ghosh in a blog entry posted late Wednesday morning.

How did the attack work? If a system was successfully compromised by the malicious code running on the Department of Labor's website, it would "phone home" to a command-and-control (C&C) server that's disguised as a Microsoft update server. "The C&C protocol matches with a backdoor used by a known Chinese actor called DeepPanda," Blasco said in a blog post.

In addition, Blasco said the attack code used strongly resembled a previous exploit seen against a Thai nongovernmental organization that focuses on human rights under the auspices of the Association of Southeast Asian Nations.

Security intelligence firm CrowdStrike has tied DeepPanda to a number of advanced persistent threat (APT) attacks, noting that the group's attacks "target various strategic interests of the United States including high tech/heavy industry, non-governmental organizations (NGOs), state/federal government, defense industrial base (DIB), and organizations with vast economic interests."

The malware served by the Department of Labor website targeted a vulnerability that's been patched by Microsoft. According to Blasco, "after a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year." According to a related vulnerability summary from NIST, the flaw involves a "use-after-free vulnerability in Microsoft Internet Explorer 6 through 8" which attackers can use to remotely execute arbitrary code in a vulnerable browser. The vulnerability was first discovered in December 2012, when it was seen in zero-day attacks.

The malware loaded onto the Department of Labor server also attempted to execute JavaScript code in a browser, with the code being served up directly from the Department of Labor website. The malware also attempted to execute a malicious PHP script that's downloaded from an external server that's currently hosted by OC3 Networks & Web Solutions in Los Angeles, and which also received information about compromised systems.

If the malware was successfully able to exploit the IE vulnerability, it downloaded an attack payload from a remote server. Blasco said that as of early Wednesday morning, according to VirusTotal, the downloaded code was being flagged as malicious by only two out of 46 antivirus scanners. But by later that morning, 13 antivirus scanners had been updated to identify the attack.

The PHP script used in the attack "will collect a lot of information from the system and then it will upload the information collected to the malicious server," said Blasco. In particular, the script checks to see if Flash or Java browser plug-ins are installed on the system, and if so, which versions. Other routines, meanwhile, look for the presence of BitDefender security software, and if they find it, attempt to deactivate it. The script also searches for the presence of other information security software, including AVG, Avira, Dr.Web, ESET, F-Secure, Kaspersky Lab, McAfee, Microsoft Security Essentials and Sophos. The script also looks for the Google Chrome plug-ins for the Avast or Avira antivirus, and checks to see if Microsoft Office is installed.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Patrick M
50%
50%
Patrick M,
User Rank: Apprentice
5/1/2013 | 5:44:49 PM
re: U.S. Labor Dept. Website Hacked, Serves Malware
Is it surprising that someone other than the website hacked reports about the exploit and potential risk for browsers? I wonder about the number of companies - and govt entities - that prefer to keep it private, even though I'd argue they have a responsibility to inform everyone of the breach.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Equal pay--easy; equal work--not so much.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.