December 22, 2011

Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers.

The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil.  The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw that I’ve warned about several times this past month. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.

A woman who answered the phone this morning at Amnesty International’s research and policy branch in the U.K. declined to give her name, but said she would pass on the information about the break-in. The site remains compromised.

This is hardly the first time Amnesty International’s sites have been hacked to serve up malware. The organization’s site was hacked in April 2011 with a drive-by attack.  In November 2010, security firm Websense warned Amnesty International’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown Internet Explorer vulnerability. 

The UK site is not particularly popular – its global rank is 90,203 according to Alexa.com – but the chances are good that the attackers behind this are not after financial data. It appears more likely that the exploit maybe part of an ongoing campaign by Chinese hacking groups to extract information from dissident and human rights organizations.

The attack against the Amnesty International’s Hong Kong site last year loaded malware that belongs to a notorious family of backdoor Trojans from China. According to a ThreatExpert analysis of the malicious Java file currently being served by Amnesty’s UK site, the malware downloaded appears to be associated with China.

Paul Royal, a research consultant with Barracuda Networks, said the attack fits the profile of previous campaigns against human rights non-governmental organizations.

“Certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists,” Royal wrote in an email to KrebsOnSecurity, noting that the site appears to have been compromised since at least Dec. 16.  “Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.”

These attacks highlight the importance of staying up to date on security patches. In the case of Java, removing oft-targeted software that you don’t really need may be a safer option. Either way, tools like Secunia’s Personal Software Inspector or FileHippo’s Update Checker can help you stay on top of the latest security updates for popular software titles.

Update, 12:59 p.m. ET: Barracuda Labs just published a blog post about this.

Update, Dec. 24, 9:40 a.m. ET: Emerson Povey, digital communications editor for Amnesty International UK, wrote in to say that the exploit has been removed from the site.


12 thoughts on “Amnesty International Site Serving Java Exploit

  1. fdfhgfh

    Why havent you submitted the file to virustotal? I’d like to see the detection rate.

  2. bt

    What ever happened to picking targets that didn’t make you a total scumbag? Seniors? Amnesty Int.? Come on blackhats, class it up a bit.

    1. User

      it looks that this particular malware sample tries to post data with IP 209.40.98.173 on port 443 but it does not use https as protocol

      Whois:

      NetRange: 209.40.96.0 – 209.40.127.255
      CIDR: 209.40.96.0/19
      OriginAS:
      NetName: HOPONE-DCA2-4
      NetHandle: NET-209-40-96-0-1
      Parent: NET-209-0-0-0-0
      NetType: Direct Allocation
      RegDate: 1999-04-28
      Updated: 2005-09-26
      Ref: http://whois.arin.net/rest/net/NET-209-40-96-0-1

      OrgName: HopOne Internet Corporation
      OrgId: HOPO
      Address: 3311 South 120th Place
      City: Tukwila
      StateProv: WA
      PostalCode: 98168-5125
      Country: US
      RegDate: 1999-12-02
      Updated: 2008-10-04
      Comment: HopOne Internet Corp.(R)
      Comment: “The Foundation of Internet Success.”(R)
      Comment: http://www.hopone.net
      Ref: http://whois.arin.net/rest/org/HOPO

  3. Neej

    I have no idea exactly what the situation is for “human rights activists” (quotes not intended to signify anything other than quoting Brian’s article) and other people the powers that be don’t like in China but I would have imagined many of them would be using Tor and a safe browser setup, one that won’t run Java applets in other words.

    But like I said, I have no idea …

    1. Neej

      Upon further consideration I guess it’s probably activists outside China that they’re targetting right?

    2. JS

      I propose the trap is not for human rights advocates but for those wanting to give charitably to an organization often linked to fundraising campaigns at Holiday Season and for End of year tax deductions.

      The scam could be as simple as find a vulnerable organization persons with money donate to. Install a drive by Trojan that would then be used later to empty their bank accounts sit back and wait as people flock to donate at the end of the year.

      I hope Redcross, Salvation Army, etc get scanned & double checked.

  4. Kirosnol

    btw, one of the russian “political prisoners”, Pavel Vroublevsky, was out of jail today, 23th December. Two weeks ago some articles of the Criminal Code were liberalized, and there was no way to arrest Pavel more than for half a year before the court. But he’s still waiting for the decisions, and could be punished up to 5 years in jail.

  5. emil

    hi!
    i hope its ok to ask this slieghtly off topic question.
    is it secure to have java web start active, and the browser plugin deactivated?
    version is up to date.

  6. Henry

    You’ve got it all mixed up mate … remove any Java related startup entries, *activate* the web browser plugin for security reasons and *do not* run the web start module while connected to the internet.

Comments are closed.