Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Espionage Campaign Targets Foreign Policy Domains

In an apparent act of cyber espionage, as the acts are being called by Shadowserver researchers Steven Adair and Ned Moran, persons unknown have staged a series of strategic web compromises in order to spread malware. The attackers hijacked several websites related to matters of government and foreign policy, and used them to deliver malicious payloads to visitors by leveraging unpatched software flaws.

In an apparent act of cyber espionage, as the acts are being called by Shadowserver researchers Steven Adair and Ned Moran, persons unknown have staged a series of strategic web compromises in order to spread malware. The attackers hijacked several websites related to matters of government and foreign policy, and used them to deliver malicious payloads to visitors by leveraging unpatched software flaws.

“The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in,” the researchers explained.

Cyber EspionageWithin the last two weeks, the Shadowserver researchers have observed various compromised domains serving malware by leveraging two recently patched vulnerabilities in Adobe Flash and Java. In the case of the Java exploit that was observed being used by the as yet unknown attackers, the payloads will target both Windows and Mac OS X.

In fact, several otherwise legitimate foreign policy domains remain compromised. As of May 14, the Center for Defense Information, Amnesty International Hong Kong, and the Cambodian Ministry of Foreign Affairs, are compromised and serving malicious scripts, the researchers said.

While examining the compromise of the Center for Defense Information’s website, the researchers noted that the primary website hosting the Flash exploit has an IP address that is tied to Gannet Company, Inc. – publishers of USA Today, though the main USAT and Gannet websites remain harmless.

The group responsible for these attacks have hit other domains as well, including the International Institute of Counter-Terrorism at the Interdisciplinary Center (IDC) in Herzliya, Israel, and the International Service for Human Rights (ISHR). In each case, the malware ultimately delivered – a RAT (Remote Access Trojan) named Poison Ivy – means that the attacks fall under the term APT, or Advanced Persistent Threat.

Cyber Espionage attacks are not a fabricated issue and are not going away any time soon, the researchers warn. The attackers are clearly not out to make friends, they are out to steal and likely sell stolen information, and take whatever else they can get as a bonus.

In the case of targeted attacks against humanitarian organizations, the costs of an attack can go much higher than lost data. Stolen information could translate to physical harm, depending on what is taken and where it ends up.

“The cold reality is that, in addition to APTs, most organizations aren’t protected from even the most basic of scripted attacks or common attack tools,” said Dave Marcus, director of advanced research & threat intelligence at McAfee Labs.

Shadowserver’s research can be found here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.