Cyberspies Target Victims Via Strategic Drive-by Website Attacks

  /     /     /  
Publicated : 22/11/2024   Category : security


Cyberspies Target Victims Via Strategic Drive-by Website Attacks


Cyberespionage attackers more and more are injecting specific, legitimate websites with malware in hopes of snaring victims with common interests -- most recently, human rights organizations



Human rights organizations are currently under attack via the Center for Defense Informations website, Amnesty International Hong Kongs website, and the Cambodian Ministry of Foreign Affairs ASEAN 2012 website -- all of which have been hacked to inject malicious iFrames to unknowing visitors, according to the Shadowserver Foundation.
A handful of other websites also had been hit with similar malware but since have been remediated, including the American Research Center in Egypt, the Institute for National Security Studies in Israel, and the Centre for European Policy Studies.
The weapon of choice for a cyberspy or advanced persistent threat (APT) actor gaining a foothold inside its target traditionally has been the socially engineered email with a malicious link or attachment. But cyberspies are increasingly targeting specific, legitimate websites and injecting them with malware in hopes of snaring visiting victims from organizations from similar industries and sectors.
Shadowserver calls this not-so-new phenomenon strategic Web compromise, where the attackers inject their malware on websites associated with defense, human rights, foreign policy, and foreign relations, for example, and individuals who work for government agencies, companies, or organizations involved in those areas are most likely to visit. This method of targeting victims has been on the upswing during the past few months, according to Shadowserver.
Weve definitely seen an increase in the number of these ... more in the last year, says Steven Adair, a security expert with Shadowserver. Unlike the regular drive-by infection meant to indiscriminately infect as many people as possible, these targeted drive-by infections are all about hooking website visitors from specific types of organizations.
Adair says targeted email attacks and spear-phishing are still the No. 1 vector for cyberespionage. The Web drive-by attack is definitely not new ... but it appears to be increasing, he says.
But these attackers are also employing the drive-by as a first step, possibly because some organizations have become wiser about falling for social engineering ploys or opening attachments. Although the website compromise casts a wider net, it still focuses on a group of people with common interests or professions.
It is less precise, but at the same time you will compromise more victims that all have common interests or are involved in the same activities. It could very well be a first phase in an attack that will lead to more precise attacks later, based on what the attackers find now, says Patrik Runald, director of the Websense Security Labs.
Researchers at Shadowserver and Websense have spotted several such targeted attacks in recent days and weeks. The attackers have employed exploits that use the recently patched Oracle Java (CVE-2012-0507) that was used in the Flashback Trojan and Adobe Flash (CVE-2013-0779) bugs, according to Shadowserver. And cyberspies have employed the Java exploit to target Mac users, as well, in foreign policy and human rights organizations who visit sites associated with their areas of interest, such as Amnesty International Hong Kong (AIHK). They are ultimately installing remote access Trojans (RATs) onto victims machines in order to exfiltrate information.
Websense first spotted the compromised AIUK site serving up Java exploits. We have seen different Amnesty websites get compromised in the past -- 2010, at least twice in 2011 -- serving exploits of recently patched vulnerability so ... it didnt come as a big surprise. The trend of pushing RATs is, while not surprising, an interesting development, Websenses Runald says.
The compromised Amnesty websites dumped Gh0stRAT malware on visiting users machines, for example, he says. Another example would be the Institute for National Security Studies in Israel where visitors were infected with Poison Ivy, the same RAT that was used in the RSA attack.
Another site that has been targeted by APT actors in recent weeks is the Washington, D.C.-based Center for Defense Information (CDI): Shadowserver says the site is now spreading a Flash exploit that is connected to known cyberespionage actors. But the CDI site isnt hosting the exploit; the bad guys, instead, have place the exploits on two servers owned by Gannet Company and USA Today, as well as servers in Korea and Austria.
The USA Today website itself is not compromised, but a Web server registered to USA Today is. One of their IPs was hacked and its hosting the exploit code, Adair says. So people vesting the USA Today [website] are not being infected.
Why the legit intermediary servers and not just host it all on the CDI site? Adair says theres no way to know for sure, but the attackers may be doing so for redundancy reasons or to help remain under the radar, which is a hallmark of the drive-by attack, and to avoid getting blocked.
I believe that its as simple as they were able to compromise it and as its a server with good reputation, hosted in the U.S. It wont raise suspicion if network administrators see traffic to that IP in their logs. So it served their purpose well, but I dont believe there was any specific reason why that server was used beyond that, Websenses Runald says.

(click image for larger view)
Source: Shadowserver Foundation

CDI Flash Exploit
Cyberspies and APT attackers are also employing zero-day exploits. When you find theres a zero-day exploit discovered in the wild that was being used ... in limited attacks in the wild, that is always bad news, Shadowservers Adair says. Thats bad for people doing defense. It has been going around and not a lot knew about it or a lot of defenses for it.
The downside for victims who get infected at these websites is that the attacks are invisible, and in most cases, users dont know they picked up the Trojan or other malware. They also dont know that their infected machine was the attackers gateway into their organizations. Like anything else, the main defense is best security practices, like keeping software updated and patched.
The vulnerabilities used in these attacks have been fixed. Java, Flash, and Adobe Reader are the three most targeted applications in Web-based attacks, so users really must make sure they install the latest version as soon as its available. Also consider uninstalling Java if you dont have a need for it, Websenses Runald advises.
[ With conventional wisdom now that advanced attacks happen, has the time come to create the next-generation sandbox or other containment method? See
Advanced Attacks Call For New Defenses
. ]
As for the websites that are now in the bulls eye of the APT, locking down administrative accounts, sanitizing upload forms, and securing Web application code is crucial, according to Shadowservers Adair, who
posted a blog today that includes graphics and samples of the attacks
.
Website owners have to make sure that they close all holes that allow SQL injection or other compromises to take place. In these cases, it looks like SQL injections have been used, Runald says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cyberspies Target Victims Via Strategic Drive-by Website Attacks