Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers.
The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil. The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw that I’ve warned about several times this past month. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.
A woman who answered the phone this morning at Amnesty International’s research and policy branch in the U.K. declined to give her name, but said she would pass on the information about the break-in. The site remains compromised.
This is hardly the first time Amnesty International’s sites have been hacked to serve up malware. The organization’s site was hacked in April 2011 with a drive-by attack. In November 2010, security firm Websense warned Amnesty International’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown Internet Explorer vulnerability.
The UK site is not particularly popular – its global rank is 90,203 according to Alexa.com – but the chances are good that the attackers behind this are not after financial data. It appears more likely that the exploit maybe part of an ongoing campaign by Chinese hacking groups to extract information from dissident and human rights organizations.
The attack against the Amnesty International’s Hong Kong site last year loaded malware that belongs to a notorious family of backdoor Trojans from China. According to a ThreatExpert analysis of the malicious Java file currently being served by Amnesty’s UK site, the malware downloaded appears to be associated with China.
Paul Royal, a research consultant with Barracuda Networks, said the attack fits the profile of previous campaigns against human rights non-governmental organizations.
“Certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists,” Royal wrote in an email to KrebsOnSecurity, noting that the site appears to have been compromised since at least Dec. 16. “Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.”
These attacks highlight the importance of staying up to date on security patches. In the case of Java, removing oft-targeted software that you don’t really need may be a safer option. Either way, tools like Secunia’s Personal Software Inspector or FileHippo’s Update Checker can help you stay on top of the latest security updates for popular software titles.
Update, 12:59 p.m. ET: Barracuda Labs just published a blog post about this.
Update, Dec. 24, 9:40 a.m. ET: Emerson Povey, digital communications editor for Amnesty International UK, wrote in to say that the exploit has been removed from the site.
Why havent you submitted the file to virustotal? I’d like to see the detection rate.
A link to the Virustotal analysis is the very first link in this blog post.
http://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324068153
What ever happened to picking targets that didn’t make you a total scumbag? Seniors? Amnesty Int.? Come on blackhats, class it up a bit.
Going back up the tree a few levels to http://3max.com.br/cgi-bin/ , it says “By TeaM MosTa” – See: http://www.zone-h.org/archive/notifier=TEAM%20MOSTA
That doesn’t tie in with the anti-dissident theory very well. Maybe the amnesty hackers just used an already compromised server. Or did they just put “By TeaM MosTa” as a misdirect?
it looks that this particular malware sample tries to post data with IP 209.40.98.173 on port 443 but it does not use https as protocol
Whois:
NetRange: 209.40.96.0 – 209.40.127.255
CIDR: 209.40.96.0/19
OriginAS:
NetName: HOPONE-DCA2-4
NetHandle: NET-209-40-96-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
RegDate: 1999-04-28
Updated: 2005-09-26
Ref: http://whois.arin.net/rest/net/NET-209-40-96-0-1
OrgName: HopOne Internet Corporation
OrgId: HOPO
Address: 3311 South 120th Place
City: Tukwila
StateProv: WA
PostalCode: 98168-5125
Country: US
RegDate: 1999-12-02
Updated: 2008-10-04
Comment: HopOne Internet Corp.(R)
Comment: “The Foundation of Internet Success.”(R)
Comment: http://www.hopone.net
Ref: http://whois.arin.net/rest/org/HOPO
Interesting. The UK site was hit earlier this year, you’d think they would be a bit more sensitive to it…the group has been busy…
https://www.securelist.com/en/blog/208188089/Democratic_Party_of_Hong_Kong_Website_Compromised_and_Serving_Spyware
http://news.softpedia.com/news/Drive-By-Download-Attack-Launched-from-Amnesty-International-UK-Website-195507.shtml
https://www.securelist.com/en/blog/2332/Firefox_Tricked_Current_0day
I have no idea exactly what the situation is for “human rights activists” (quotes not intended to signify anything other than quoting Brian’s article) and other people the powers that be don’t like in China but I would have imagined many of them would be using Tor and a safe browser setup, one that won’t run Java applets in other words.
But like I said, I have no idea …
Upon further consideration I guess it’s probably activists outside China that they’re targetting right?
I propose the trap is not for human rights advocates but for those wanting to give charitably to an organization often linked to fundraising campaigns at Holiday Season and for End of year tax deductions.
The scam could be as simple as find a vulnerable organization persons with money donate to. Install a drive by Trojan that would then be used later to empty their bank accounts sit back and wait as people flock to donate at the end of the year.
I hope Redcross, Salvation Army, etc get scanned & double checked.
btw, one of the russian “political prisoners”, Pavel Vroublevsky, was out of jail today, 23th December. Two weeks ago some articles of the Criminal Code were liberalized, and there was no way to arrest Pavel more than for half a year before the court. But he’s still waiting for the decisions, and could be punished up to 5 years in jail.
hi!
i hope its ok to ask this slieghtly off topic question.
is it secure to have java web start active, and the browser plugin deactivated?
version is up to date.
You’ve got it all mixed up mate … remove any Java related startup entries, *activate* the web browser plugin for security reasons and *do not* run the web start module while connected to the internet.