A handful of other websites also had been hit with similar malware but since have been remediated, including the American Research Center in Egypt, the Institute for National Security Studies in Israel, and the Centre for European Policy Studies.
The weapon of choice for a cyberspy or advanced persistent threat (APT) actor gaining a foothold inside its target traditionally has been the socially engineered email with a malicious link or attachment. But cyberspies are increasingly targeting specific, legitimate websites and injecting them with malware in hopes of snaring visiting victims from organizations from similar industries and sectors.
Shadowserver calls this not-so-new phenomenon "strategic Web compromise," where the attackers inject their malware on websites associated with defense, human rights, foreign policy, and foreign relations, for example, and individuals who work for government agencies, companies, or organizations involved in those areas are most likely to visit. This method of targeting victims has been on the upswing during the past few months, according to Shadowserver.
"We've definitely seen an increase in the number of these ... more in the last year," says Steven Adair, a security expert with Shadowserver. Unlike the regular drive-by infection meant to indiscriminately infect as many people as possible, these targeted drive-by infections are all about hooking website visitors from specific types of organizations.
Adair says targeted email attacks and spear-phishing are still the No. 1 vector for cyberespionage. "The Web drive-by attack is definitely not new ... but it appears to be increasing," he says.
But these attackers are also employing the drive-by as a first step, possibly because some organizations have become wiser about falling for social engineering ploys or opening attachments. Although the website compromise casts a wider net, it still focuses on a group of people with common interests or professions.
"It is less precise, but at the same time you will compromise more victims that all have common interests or are involved in the same activities. It could very well be a first phase in an attack that will lead to more precise attacks later, based on what the attackers find now," says Patrik Runald, director of the Websense Security Labs.
Researchers at Shadowserver and Websense have spotted several such targeted attacks in recent days and weeks. The attackers have employed exploits that use the recently patched Oracle Java (CVE-2012-0507) that was used in the Flashback Trojan and Adobe Flash (CVE-2013-0779) bugs, according to Shadowserver. And cyberspies have employed the Java exploit to target Mac users, as well, in foreign policy and human rights organizations who visit sites associated with their areas of interest, such as Amnesty International Hong Kong (AIHK). They are ultimately installing remote access Trojans (RATs) onto victims' machines in order to exfiltrate information.
Websense first spotted the compromised AIUK site serving up Java exploits. "We have seen different Amnesty websites get compromised in the past -- 2010, at least twice in 2011 -- serving exploits of recently patched vulnerability so ... it didn't come as a big surprise. The trend of pushing RATs is, while not surprising, an interesting development," Websense's Runald says.
The compromised Amnesty websites dumped Gh0stRAT malware on visiting users' machines, for example, he says. "Another example would be the Institute for National Security Studies in Israel where visitors were infected with Poison Ivy, the same RAT that was used in the RSA attack."
Another site that has been targeted by APT actors in recent weeks is the Washington, D.C.-based Center for Defense Information (CDI): Shadowserver says the site is now spreading a Flash exploit that is connected to known cyberespionage actors. But the CDI site isn't hosting the exploit; the bad guys, instead, have place the exploits on two servers owned by Gannet Company and USA Today, as well as servers in Korea and Austria.
"The USA Today website itself is not compromised, but a Web server registered to USA Today is. One of their IPs was hacked and it's hosting the exploit code," Adair says. "So people vesting the USA Today [website] are not being infected."
Why the legit intermediary servers and not just host it all on the CDI site? Adair says there's no way to know for sure, but the attackers may be doing so for redundancy reasons or to help remain under the radar, which is a hallmark of the drive-by attack, and to avoid getting blocked.
"I believe that it's as simple as they were able to compromise it and as it's a server with good reputation, hosted in the U.S. It won't raise suspicion if network administrators see traffic to that IP in their logs. So it served their purpose well, but I don't believe there was any specific reason why that server was used beyond that," Websense's Runald says.
Cyberspies and APT attackers are also employing zero-day exploits. "When you find there's a zero-day exploit discovered in the wild that was being used ... in limited attacks in the wild, that is always bad news," Shadowserver's Adair says. "That's bad for people doing defense. It has been going around and not a lot knew about it or a lot of defenses for it."
The downside for victims who get infected at these websites is that the attacks are invisible, and in most cases, users don't know they picked up the Trojan or other malware. They also don't know that their infected machine was the attacker's gateway into their organizations. Like anything else, the main defense is best security practices, like keeping software updated and patched.
"The vulnerabilities used in these attacks have been fixed. Java, Flash, and Adobe Reader are the three most targeted applications in Web-based attacks, so users really must make sure they install the latest version as soon as it's available. Also consider uninstalling Java if you don't have a need for it," Websense's Runald advises.
[ With conventional wisdom now that 'advanced attacks happen,' has the time come to create the next-generation sandbox or other containment method? See Advanced Attacks Call For New Defenses. ]
As for the websites that are now in the bull's eye of the APT, locking down administrative accounts, sanitizing upload forms, and securing Web application code is crucial, according to Shadowserver's Adair, who posted a blog today that includes graphics and samples of the attacks.
"Website owners have to make sure that they close all holes that allow SQL injection or other compromises to take place. In these cases, it looks like SQL injections have been used," Runald says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.