CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

NetTraveler APT Attack Changes Tactics to Infect Activists

Researchers at Kaspersky Lab revealed that they have discovered a new attack vector for NetTraveler – an attack campaign that has infected hundreds of victims across more than 40 countries.

Researchers at Kaspersky Lab revealed that they have discovered a new attack vector for NetTraveler – an attack campaign that has infected hundreds of victims across more than 40 countries.

First revealed publicly in June, NetTraveler’s targets have included the oil industry, universities, government institutions and Tibetan/Uyghur activists. After the operation was publicly exposed, the attackers immediately shut down all the known command and control (C&C) systems and moved them to new servers in China, Taiwan and Hong Kong and continued their attacks.

According to Kaspersky Lab, during the past few days, spear-phishing emails were sent to multiple Uyghur activists that included a Java exploit used to infect users with a new variant of the NetTraveler malware. The move was a change from previous attacks, which targeted Microsoft Office (CVE-2012-0158).

In a blog post, Kaspersky Lab Director of Global Research and Analysis Costin Raiu explained that the spear-phishing emails contain a link to a page that appears to be on the World Uyghur Congress website. The real page link however leads to a known NetTraveler domain.

 “This simple HTML loads and runs a Java applet named “new.jar” (c263b4a505d8dd11ef9d392372767633),” he blogged. “The “new.jar” is an exploit for CVE-2013-2465, a very recent vulnerability in Java versions 5, 6 and 7, that was fixed by Oracle in June 2013. It’s detected and blocked by Kaspersky products generically as “HEUR:Exploit.Java.CVE-2013-2465.gen”.”

On top of the spear-phishing emails, the attackers have set up watering holes to trap victims as well. During the past month, Kaspersky Lab said it has intercepted and blocked infection attempts from the wetstock.org domain – a site linked to previous NetTraveler attacks. The redirections appear to come from another Uyghur-related website belonging to the Islamic Association of Eastern Turkistan.

The firm recommends users update Java and other third-party software to the most recent version, and be wary of clicking on links or opening attachments from unknown parties.

“So far, we haven’t observed the use of zero-day vulnerabilities with the NetTraveler group,” Raiu said in a statement. “To defend against those, although patches don’t help, but technologies such as Automatic Exploit Prevention and DefaultDeny can be quite effective fighting advanced persistent threats.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.