Attackers Hit Human Rights, Foreign Policy Websites With Drive-By Exploits

 
 
By Brian Prince  |  Posted 2012-05-16
 
 
 

Hackers are targeting Websites for human rights and foreign policy think tanks to spread malware and to conduct cyber-espionage.

According to the Shadowserver Foundation, attackers have launched a series of €œstrategic Web compromises€ that infect users via drive-by exploits. Attacks targeting human rights organizations are hardly new. In 2010, a report from Harvard University's Berkman Center for Internet and Society found that 280 independent media and human rights Websites were hit with 140 denial-of-service attacks between September 2009 and August 2010.

Rather than using denial-of-service attacks or launching mass compromises, however, these latest attacks are attempts to insert exploit code on legitimate Websites that attract political activists and others considered to be people of interest by attackers. Among the victims are Amnesty International Hong Kong, Center for Defense Information and the International Institute for Counter-Terrorism.

€œThese types of attacks seem to be increasing as the attackers look for additional ways to target and compromise a particular demographic while still being somewhat indiscriminate,€ said Shadowserver€™s Steve Adair. €œI think attackers are finding that instead of going to the targets, that they can let the targets come to them. Even a person that's been trained on how to spot and notice suspicious emails will likely have their guard down when visiting a Website they go to every day or every week.€

These attacks are not replacing spear-phishing by any means, but various attackers appear to be looking for more ways to conduct espionage online, he said.

€œSpear-phishing is still quite prevalent and will not likely go away, but I think we'll still see a trend of these Websites being compromised to distribute targeted malware,€ he explained to eWEEK. €œAn ongoing problem in this arena, too, is that Websites are often compromised for a few hours or days, and are cleaned up without a trace or mention to the public. These compromises happen more often than we realize, and we only catch and see a portion of them.€

In several cases, the attackers turned to zero-day exploits to infect users, though known vulnerabilities were used as well. For example, the Amnesty International Hong Kong site was found recently by Websense to be serving exploits for the Java vulnerability CVE-2012-0507, a bug that has also been linked to the spread of the Flashback malware. Another common vulnerability targeted by the attackers in the past two weeks is CVE-2012-0779, a recently-patched security hole in Adobe Flash Player.

€œTo be honest, I don't think there has been an increase in the number of zero-days that have been used,€ Adair said. €œWe track on this pretty closely, and without fail, there is a new zero-day exploit for a major piece of software every few months€”sometimes more frequently. It has an ebb and flow, but we see exploits for Adobe Flash and Acrobat/Acrobat Reader, Java and Microsoft Office products fairly frequently. We're still seeing browser exploits and other software too from time to time. The fact that a lot of these exploits are found in the wild means they have been used for a period of time€”sometimes for quite a while€”without anyone even realizing it.

€œA major problem that organizations face is that they can be fully patched and are still vulnerable,€ he continued. €œThis really shows that we need to put an emphasis on other security mechanisms, rather than just patching or applying updates. The way malware is installed hasn't changed all that much in the last five years, so it's time to look at technical controls that can help protect the end user from the unknown,€ Adair said.

"CSOs [chief security officers] should be aware that attacks to corporate networks are common occurrences and happen on a daily basis to poorly configured Websites,€ said Dave Marcus, director of advanced research and threat intelligence at McAfee Labs.

€œThe cold reality is that, in addition to APTs [Advanced Persistent Threats], most organizations aren't protected from even the most basic of scripted attacks or common attack tools,€ he added. €œEnsuring security policies, network security prevention and detection, as well as incident-response plans are all up to date, will help your organization prevent and mitigate APT attacks."

Rocket Fuel