In an apparent act of cyber espionage, as the acts are being called by Shadowserver researchers Steven Adair and Ned Moran, persons unknown have staged a series of strategic web compromises in order to spread malware. The attackers hijacked several websites related to matters of government and foreign policy, and used them to deliver malicious payloads to visitors by leveraging unpatched software flaws.
“The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in,” the researchers explained.
Within the last two weeks, the Shadowserver researchers have observed various compromised domains serving malware by leveraging two recently patched vulnerabilities in Adobe Flash and Java. In the case of the Java exploit that was observed being used by the as yet unknown attackers, the payloads will target both Windows and Mac OS X.
In fact, several otherwise legitimate foreign policy domains remain compromised. As of May 14, the Center for Defense Information, Amnesty International Hong Kong, and the Cambodian Ministry of Foreign Affairs, are compromised and serving malicious scripts, the researchers said.
While examining the compromise of the Center for Defense Information’s website, the researchers noted that the primary website hosting the Flash exploit has an IP address that is tied to Gannet Company, Inc. – publishers of USA Today, though the main USAT and Gannet websites remain harmless.
The group responsible for these attacks have hit other domains as well, including the International Institute of Counter-Terrorism at the Interdisciplinary Center (IDC) in Herzliya, Israel, and the International Service for Human Rights (ISHR). In each case, the malware ultimately delivered – a RAT (Remote Access Trojan) named Poison Ivy – means that the attacks fall under the term APT, or Advanced Persistent Threat.
Cyber Espionage attacks are not a fabricated issue and are not going away any time soon, the researchers warn. The attackers are clearly not out to make friends, they are out to steal and likely sell stolen information, and take whatever else they can get as a bonus.
In the case of targeted attacks against humanitarian organizations, the costs of an attack can go much higher than lost data. Stolen information could translate to physical harm, depending on what is taken and where it ends up.
“The cold reality is that, in addition to APTs, most organizations aren’t protected from even the most basic of scripted attacks or common attack tools,” said Dave Marcus, director of advanced research & threat intelligence at McAfee Labs.
Shadowserver’s research can be found here.