Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Amnesty International Hackers Learned From Flashback

Attackers used the same Java vulnerability employed by the Apple Flashback malware to try to infect site visitors with remote administration tools.

Hackers took aim last week at Amnesty International websites in Britain and Hong Kong with an exploit that targeted anyone visiting those websites.

According to technical details of the attack published by Websense, the attackers exploited the Hong Kong Amnesty site over the weekend, and the U.K. Amnesty site sometime between Tuesday and Wednesday of last week. In the case of the British Amnesty site, "the website was apparently injected with malicious code for these two days," according to the Websense analysis. "During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection."

An Amnesty International official in Britain confirmed Monday that the group's website had been attacked, but offered a differing account of the exploit's duration. "Last Thursday, amnesty.org.uk was infected with a piece of malicious code. As soon as we became aware of the infection we worked with our hosting company Claranet to isolate it and remove it as a matter of urgency. Happily, the problem was resolved by Thursday lunchtime," said a spokeswoman for the group via email.

[ Stay safe while traveling. See 9 Tips To Block Hotel Wi-Fi Malware. ]

Amnesty gave credit for spotting the attack to its security monitoring tools. "Security is very important to us and as well as extensive security measures in place to prevent exploits such as this, we also have constant monitoring in place to alert us immediately when incidents like this occur," she said. "All our users' profiles are held on a completely separate website and server and were in no way compromised by this incident."

But attackers may have infected the website in part to gain access to the sequestered Amnesty files. "In some cases, hackers don't want to steal the data from the website but rather want to infect the users who are visiting. This can lead to more access to business-critical data which, for example, is often stored as files on a fileserver," said Rob Rachwald, director of security strategy at Imperva, in a blog post. "In the Amnesty case, the real prize isn't Amnesty's data per se, but the corporate and individual data and files of those who visit the site."

Interestingly, the Amnesty attackers attempted to infect website visitors by using the same Java exploit that was built into both Flashback and SabPub. While those malicious applications targeted Apple OS X users, the Amnesty attack was designed to push a binary file that runs on Windows operating systems, and which was signed using a VeriSign certificate that was issued to Tencent Technology (Shenzhen) Company Limited, and which remains valid until January 2013.

"Through further research we learn that this certificate has been in use for a while and does not appear to have been revoked at the time of this latest exploit activity," said Websense. But whoever built Flashback likely wasn't behind this attack, which Websense said appeared to have been built using the Metasploit penetration-testing framework.

Another interesting finding was that the binary file pushed by the exploited Amnesty sites "is a variant of the well-known remote administration tool Gh0st RAT, which is used mainly in targeted attacks to gain complete control of infected systems," said Websense. "With this control, the remote administrator has access to a user's files, email, passwords, and other sensitive personal information."

Also known as remote access tools, so-called RAT attacks gained notoriety last year after McAfee reported finding a command-and-control website tied to a tool it dubbed Shady RAT. The vendor said the gang behind that particular remote access tool had successfully compromised at least 72 organizations, including 22 governmental agencies and contractors, over a period of five years. While McAfee declined to nominate suspected perpetrators, many security experts suspected China to be behind the attacks.

Last week's attacks weren't the first attempts to hack an Amnesty International site to infect visitors with drive-by malware. Websense said the same Amnesty U.K. site had been compromised in 2009, as had the Hong Kong site, in 2010. In the case of that Hong Kong exploit, attackers inserted a malicious iFrame into the website that redirected all visitors to an external server controlled by the attackers. The site made use of various Adobe Flash, Shockwave, and Apple QuickTime bugs, as well as a zero-day Internet Explorer vulnerability, to attempt to install a Chinese-made remote access tool onto visitors' systems.

At a time when cybercrime has never been more prolific and sophisticated, budgets are being cut. In response, IT is taking a hard look using third-party services--outsourcing--to meet security challenges. Our Making The Security Outsourcing Decision report outlines the various security outsourcing options available. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.