Friday, December 23, 2011

APT: Amnesty International Site Serving Java Rhino Exploit

Via Krebs on Security -

Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers.

The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil. The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw that I’ve warned about several times this past month. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.


This is hardly the first time Amnesty International’s sites have been hacked to serve up malware. The organization’s site was hacked in April 2011 with a drive-by attack. In November 2010, security firm Websense warned Amnesty International’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown Internet Explorer vulnerability.


Human Rights Group Used to Spy on Activists;postID=3727886387342724071
The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.

In recent weeks, I have become aware of APT actors using the CVE-2011-3544 exploit in targeted attacks. This Amnesty International attack seems to match all the characteristics associated with previous attacks on human rights organizations - many which were believed to be APT actors as well.

Information Warfare Monitor has been blogging about attacks against human rights organizations for some time...

Flash Malware Leads to Poison Ivy RAT on Human Rights Site (July 2011)

Ongoing Attacks on Human Rights Web sites and the Problem of Attribution (April 2011)

Flash cache exploit debuts in Amnesty attack (April 2011)

Nobel Peace Prize, Amnesty HK and Malware
(Nov 2010)

Human Rights and Malware Attacks (Aug 2010)

No comments:

Post a Comment