A rash of recent and ongoing targeted attacks involving compromises at high-profile Web sites should serve as a sobering reminder of the need to be vigilant about applying browser updates. Hackers have hit a number of prominent foreign policy and human rights group Web sites, configuring them to serve spyware by exploiting newly patched flaws in widely used software from Adobe and Oracle.
The latest reports of this apparent cyberspy activity come from security experts at Shadowserver.org, a nonprofit that tracks malware attacks typically associated with so-called “advanced persistent threat” (APT) actors. APT is a controversial term that means many things to different folks, but even detractors of the acronym’s overuse acknowledge that it has become a useful shorthand for “We’re pretty sure it came from China.”
One look at the list of the sites found to be currently serving an exploit to attack a newly-patched Adobe Flash Player vulnerability (CVE-2012-0779) shows how that shorthand is earned. Shadowserver uncovered Flash exploits waiting for visitors of the Web sites for Amnesty International Hong Kong and the Center for Defense Information, a Washington, D.C. think-tank. The home page for the International Institute for Counter-Terrorism was found to be serving up malware via a recent Oracle Java vulnerability (CVE-2012-0507), while the Cambodian Ministry of Foreign Affairs site was pointing to both Flash and Java exploits.
“In recent months we have continued to observe 0-day vulnerabilities emerging following discovery of their use in the wild to conduct cyber espionage attacks,” wrote Shadowserver volunteers Steven Adair and Ned Moran, in a blog post about the attacks, which they dubbed “strategic Web compromises.”
“Frequently by the time a patch is released for the vulnerabilities, the exploit has already been the wild for multiple weeks or months — giving the attackers a very large leg up,” they wrote. “The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in.”
The discoveries come just days after security vendor Websense found that the site for Amnesty International United Kingdom (AIUK) was hosting the same Java exploit. According to Shadowserver, other sites that were compromised by remarkably similar attacks but since cleaned include those belonging to the American Research Center in Egypt, the Institute for National Security Studies, and the Center for European Policy Studies.
Shadowserver experts believe that many of the attacks above are likely the work of the same hacking group. For example, Adair and Moran said they found “a clear connection” between the hackers who compromised the AIUK site in this incident and a separate attack on the same site in December 2011, a break-in first reported by KrebsOnSecurity.com. Some of the common elements in the attacks include identical Internet addresses and files (down to the same internal metadata) used in different attacks.
Adair and Moran also called attention to targeted attacks that leverage the Flash flaw (CVE-2012-0779) via Microsoft Word documents, which have the built-in ability to invoke Flash objects. Mila Parkour, the author of the Contagiodump blog, on May 6 published an exhaustive look at just such an attack.
I hope it is obvious to readers that the exploits leveraged in these cyberspy attacks to steal national security and trade secrets are the same weapons that traditional computer crooks use to steal financial information (in fact, last week I blogged about other tantalilzing signs of overlap between these two seemingly disparate communities). It is almost certain that this Flash exploit will soon be bundled into automated exploit kits that are sold to miscreants on the cybercriminal underground, if it hasn’t already. If you use any of the above-mentioned software products and have fallen behind in patching them, please see the following posts:
May 8, 2012: Adobe, Microsoft Push Critical Security Fixes
May 4, 2012: Critical Flash Update Fixes Zero-Day Flaw
Mar 27, 2012: New Java Attack Being Rolled Into Exploit Packs
Thanks very much, Brian. You are my chief source of security information, and I deeply appreciate all you do for all of us.
Brian
Just so long as your site has not been hit. LOL
I opt out on the espionage idea and assume their visitors make those sites a target, following social theories that most of their visitors might be good situated but extremely far away from basic technical understanding. – According to abusedesk experience seniors are a challenge to confess they have been carelessly ignoring basic security even if they don’t regulary surf for prOn.
Reassuringly this audience knows how to ride the political train… .oO(Redmond, the train is coming. Your investors might have questions about some security issues in usability. ;-P) Regrettably those infected PCs in developing countries abused for hacks have no lobby…
“APT is a controversial term that means many things to different folks, but even detractors of the acronym’s overuse acknowledge that it has become a useful shorthand for “We’re pretty sure it came from China.”
Best line I’ve read in weeks!
Several years ago I attended a briefing (unclassified, but sensitive) where they laid out how they had tracked the hacking of the Dalai Lama’s office PCs back to China.
IIRC, the briefing ended up in the Washington Post a little later…
What about if Human Rights and good Samaritan type sites have on the network some kind of honeypot machine that spreads planted but not public misinformation.
That way the first time it pops up it’ll at least give some idea of the location of the hacker – the country at least.
Plus, it might give deniability/unreliability to *any* harvested information as how would the hacker know what’s real and what’s not.