Attacks/Breaches
5/15/2012
03:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cyberspies Target Victims Via 'Strategic' Drive-by Website Attacks

Cyberespionage attackers more and more are injecting specific, legitimate websites with malware in hopes of snaring victims with common interests -- most recently, human rights organizations

Human rights organizations are currently under attack via the Center for Defense Information's website, Amnesty International Hong Kong's website, and the Cambodian Ministry of Foreign Affairs ASEAN 2012 website -- all of which have been hacked to inject malicious iFrames to unknowing visitors, according to the Shadowserver Foundation.

A handful of other websites also had been hit with similar malware but since have been remediated, including the American Research Center in Egypt, the Institute for National Security Studies in Israel, and the Centre for European Policy Studies.

The weapon of choice for a cyberspy or advanced persistent threat (APT) actor gaining a foothold inside its target traditionally has been the socially engineered email with a malicious link or attachment. But cyberspies are increasingly targeting specific, legitimate websites and injecting them with malware in hopes of snaring visiting victims from organizations from similar industries and sectors.

Shadowserver calls this not-so-new phenomenon "strategic Web compromise," where the attackers inject their malware on websites associated with defense, human rights, foreign policy, and foreign relations, for example, and individuals who work for government agencies, companies, or organizations involved in those areas are most likely to visit. This method of targeting victims has been on the upswing during the past few months, according to Shadowserver.

"We've definitely seen an increase in the number of these ... more in the last year," says Steven Adair, a security expert with Shadowserver. Unlike the regular drive-by infection meant to indiscriminately infect as many people as possible, these targeted drive-by infections are all about hooking website visitors from specific types of organizations.

Adair says targeted email attacks and spear-phishing are still the No. 1 vector for cyberespionage. "The Web drive-by attack is definitely not new ... but it appears to be increasing," he says.

But these attackers are also employing the drive-by as a first step, possibly because some organizations have become wiser about falling for social engineering ploys or opening attachments. Although the website compromise casts a wider net, it still focuses on a group of people with common interests or professions.

"It is less precise, but at the same time you will compromise more victims that all have common interests or are involved in the same activities. It could very well be a first phase in an attack that will lead to more precise attacks later, based on what the attackers find now," says Patrik Runald, director of the Websense Security Labs.

Researchers at Shadowserver and Websense have spotted several such targeted attacks in recent days and weeks. The attackers have employed exploits that use the recently patched Oracle Java (CVE-2012-0507) that was used in the Flashback Trojan and Adobe Flash (CVE-2013-0779) bugs, according to Shadowserver. And cyberspies have employed the Java exploit to target Mac users, as well, in foreign policy and human rights organizations who visit sites associated with their areas of interest, such as Amnesty International Hong Kong (AIHK). They are ultimately installing remote access Trojans (RATs) onto victims' machines in order to exfiltrate information.

Websense first spotted the compromised AIUK site serving up Java exploits. "We have seen different Amnesty websites get compromised in the past -- 2010, at least twice in 2011 -- serving exploits of recently patched vulnerability so ... it didn't come as a big surprise. The trend of pushing RATs is, while not surprising, an interesting development," Websense's Runald says.

The compromised Amnesty websites dumped Gh0stRAT malware on visiting users' machines, for example, he says. "Another example would be the Institute for National Security Studies in Israel where visitors were infected with Poison Ivy, the same RAT that was used in the RSA attack."

Another site that has been targeted by APT actors in recent weeks is the Washington, D.C.-based Center for Defense Information (CDI): Shadowserver says the site is now spreading a Flash exploit that is connected to known cyberespionage actors. But the CDI site isn't hosting the exploit; the bad guys, instead, have place the exploits on two servers owned by Gannet Company and USA Today, as well as servers in Korea and Austria.

"The USA Today website itself is not compromised, but a Web server registered to USA Today is. One of their IPs was hacked and it's hosting the exploit code," Adair says. "So people vesting the USA Today [website] are not being infected."

Why the legit intermediary servers and not just host it all on the CDI site? Adair says there's no way to know for sure, but the attackers may be doing so for redundancy reasons or to help remain under the radar, which is a hallmark of the drive-by attack, and to avoid getting blocked.

"I believe that it's as simple as they were able to compromise it and as it's a server with good reputation, hosted in the U.S. It won't raise suspicion if network administrators see traffic to that IP in their logs. So it served their purpose well, but I don't believe there was any specific reason why that server was used beyond that," Websense's Runald says.

CDI Flash Exploit
(click image for larger view)
Source: Shadowserver Foundation
CDI Flash Exploit

Cyberspies and APT attackers are also employing zero-day exploits. "When you find there's a zero-day exploit discovered in the wild that was being used ... in limited attacks in the wild, that is always bad news," Shadowserver's Adair says. "That's bad for people doing defense. It has been going around and not a lot knew about it or a lot of defenses for it."

The downside for victims who get infected at these websites is that the attacks are invisible, and in most cases, users don't know they picked up the Trojan or other malware. They also don't know that their infected machine was the attacker's gateway into their organizations. Like anything else, the main defense is best security practices, like keeping software updated and patched.

"The vulnerabilities used in these attacks have been fixed. Java, Flash, and Adobe Reader are the three most targeted applications in Web-based attacks, so users really must make sure they install the latest version as soon as it's available. Also consider uninstalling Java if you don't have a need for it," Websense's Runald advises.

[ With conventional wisdom now that 'advanced attacks happen,' has the time come to create the next-generation sandbox or other containment method? See Advanced Attacks Call For New Defenses. ]

As for the websites that are now in the bull's eye of the APT, locking down administrative accounts, sanitizing upload forms, and securing Web application code is crucial, according to Shadowserver's Adair, who posted a blog today that includes graphics and samples of the attacks.

"Website owners have to make sure that they close all holes that allow SQL injection or other compromises to take place. In these cases, it looks like SQL injections have been used," Runald says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio