Attackers Leverage Twitter to Target Tibetan Activists With Malware

Attackers appear to be adding social networking sites to their repertoire of attacks targeting Tibetan activists.

An attacker posted three messages containing links to sites hosting malware on Twitter and addressed them to three specific Twitter accounts associated with Chinese political activists and affiliates, Wes Hurd, a cyber-threat analyst with Cyber Squared, posted on the company blog this week. The rogue Twitter account was registered Feb. 27 and the messages sent that day, Hurd said.

The attacks contained links to two sites, a Chinese-language forum and a Tibet-related WordPress blog, which had been compromised to host exploits targeting Adobe Flash Player, Hurd said. The exploits targeted CVE-2013-0634, which has been previously observed in targeted attacks against aerospace companies. Adobe patched the flaw in an emergency update Feb. 8 and said the attacks were limited to Firefox or Safari users on Mac OS X.

“Security teams often overlook, or fail to consider, how online profiles within social networking sites can be leveraged as an initial attack vector,” Hurd wrote.

Cyber Squared notified Twitter Security of the malicious account and “associated targeted attacks.” As of today, however, the account appears to still be active, although it has not posted again since those three initial messages.

The targeted Twitter accounts were associated with an individual affiliated with a Tibetan independence movement and two Chinese-language accounts associated with political activism, Hurd said.

“All of the tweet recipients share characteristics that would be of interest for Chinese government sponsored cyber espionage actors, and are related to entities that are known targets of Chinese APT,” Hurd wrote.

The link sent to the two Chinese-language accounts contained links to a Chinese-language forum hosting the Flash SWF exploit, Hurd said. The text associated with the links reference current president of China Xi Jinping and former Politburo member Bo Xilai.

The link sent to the individual account directed users to a WordPress blog containing a list of all the self-immolation protests in the name of Tibetan independence and hosting a Flash SWF exploit. Cyber Squared stumbled across a second exploit on this WordPress blog which appeared to be targeting Uyghur supporters, another ethnic group protesting the Chinese government, Hurd said.

SecurityWeek took a look at the targeted accounts and while the individual had re-posted Twitter messages from the Dalai Lama, the other posts weren’t politically-oriented at all. The account also didn’t have any activity since January. One of the Chinese-language accounts, posting related news items, have not posted anything new since Feb. 24. The other, associated with a blog “Global China Network,” continues to be prolific.

The exploits dropped two executables on infected systems, one of which was a remote access Trojan communicating with a command-and-control server to install additional malicious plugins and steal data, Hurd said.

The Twitter-based attack joins the several different campaigns targeting Tibetan and other political activists in the past year. Citizen Lab recently discovered Android malware targeting Tibetans and reporting their physical locations to the attackers. Kaspersky Lab has also uncovered several Mac OS X malware attacks targeting Uyghur and Tibetan individuals.

Organizations need to consider that “a focused threat actor” can sneak targeted attacks into an enterprise using social networking sites, Hurd added.