Central Tibetan Administration Website (Tibet.Net) Compromised In Watering Hole Attack
The website for the Central Tibetan Administration, the official site belonging to the Dalai Lama’s government in exile, was compromised by attackers who injected code that redirected Chinese speaking visitors to a Java exploit that drops a malicious backdoor.
Kaspersky Lab shared details of the attack on Monday and said the attack “strategically compromised” the Tibet.net website, which provides information about the parliament, cabinet, administrative departments and public offices of the Dalai Lama’s government in exile.
Kurt Baumgartner, a researcher at Kaspersky Lab, called the selection of placement for the malicious code “fairly extraordinary”.
“We are a prominent target for attacks by Chinese hackers,” Tashi Phuntsok, a spokesman for the exiled government, told AFP. “I assume they do it to steal our documents, disable our communication systems or spy on people who visit our sites,” he added.
According to Baumgartner, the attack was highly targeted and leveraged an embedded iframe that redirects “xizang-zhiye(dot)org” visitors (the CN-translated version of the site) to a java exploit that maintains a backdoor payload in attempt to infect unsuspecting visitors.
“The Java exploit being delivered is the 212kb “YPVo.jar” (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well,” Baumgartner noted a blog post on the Kaspersky-run Securelist website. “That file is a 397 kb win32 executable ‘aMCBlHPl.exe’ (a6d7edc77e745a91b1fc6be985994c6a) detected as “Trojan.Win32.Swisyn.cyxf”. Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.”
Interestingly, the English and Tibetan versions of the website did not serve up the malicious embedded iframe.
The Java exploit appears to attack CVE-2012-4681, an older vulnerability which Kaspersky Lab says was used by the actor distributing the original CVE-2012-4681 zero-day Gondzz.class and Gondvv.class last August.
“The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java’s built-in AES crypto libraries, but the package is not configured to use that code in this case,” Baumgartner continued. “Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file’s win32 exe resource.”
Baumgartner said the backdoor itself is incorrectly detected by many AV vendors as variants of gaming password stealers.
The related command and control server is located at news.worldlinking.com, a domain that resolves to the IP address 59.188.239.46, which based on SecurityWeek’s analysis, is located at “New World Telephone” in Hong Kong .
“This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spear phishing campaigns against a variety of targets that include Tibetan groups,” Baumgartner added.
SecurityWeek has previously covered several attacks targeting Tibetan activists, including one that leveraged Twitter, a 2012 attack that targeted Mac OS users, and a March 2013 attack that leveraged Android malware, along with several others.
The Dalai Lama’s official website www.dalailama.com did not appear to be affected by the attack.
In 1959, the Dalai Lama fled Tibet after a failed uprising against Chinese rule, offered refuge later by India where founded the government in exile in Dharamshala. China accuses the Dalai Lama as being a “separatist” who provokes violence in Tibet, while the Dalai Lama maintains a position that his goal is a peaceful attempt to operate his homeland.