A Chinese attack group infected Forbes.com back in November in a watering hole attack targeting visitors working in the financial services and defense industries, according to two security companies.
“A Chinese advanced persistent threat compromised Forbes.com to set up a watering hole style web-based drive-by attack against US defense and financial services firms in late November 2014,” Invincea said in a report posted on its site.
The attack exploited two zero-day vulnerabilities, one in Microsoft’s Internet Explorer and the other in Adobe’s Flash Player, Invincea and iSight Partners said in their joint report released Tuesday. Adobe fixed the flaw back in December and Microsoft updated Internet Explorer as part of its Patch Tuesday release.
The cyber-espionage campaign appeared to last only a few days, but iSight and Invincea did not rule out the possibility of the campaign lasting a longer period of time.
The malware infection was inside the “Thought of the Day” Flash widget which appears whenever users try to access a Forbes.com page. Visitors didn’t need to do anything other than to try to load Forbes.com in their browser to get infected. The demographics of the typical visitor to Forbes.com—senior executives, managers, and other professionals working for major corporations—indicate this campaign focused on cyber-espionage, not cybercrime, said Stephen Ward, an analyst with iSight Partners. Watering hole attacks are insidious because it wouldn’t occur to anyone that these sites could be infected.
Even though Forbes.com is a highly-traffic site with millions of visitors, iSight and Invincea said this wasn’t a widespread malware attack out to compromise as many victims as possible, but rather a very targeted one. Invincea noticed some of its customers in the defense industrial base were targeted by malware when loading Forbes.com, said Norm Laudermilch, COO of Invincea.
While Invincea did not see customers in other industry sectors affected by this attack, iSight researchers observed the same infection targeting visitors from financial services organizations and a handful of other sectors. Both companies declined to identify the companies which had been targeted.
While the infection attempts failed against Invincea customers, it’s likely other visitors to Forbes.com in the targeted sectors were infected. “This was clearly a targeted attack against a specific group of organizations,” Laudermilch said. It wasn’t against specific individuals, because the group would have likely used spear phishing, instead.
Neither iSight or Invincea had the visibility in the attack to be able to tell whether the attack group had achieved its objective against its victims, or even what the exact objective was, Laudermilch said.