On May 11th, 2011, we detected a targeted attack against an Asian political party’s website causing the site to serve malware to unsuspecting visitors. Incidentally, we found a similar type of targeted malware attack back in April on the UK site of a global human rights organization, which served as a big clue in the development we’ve stumbled upon that includes so far two other countries’ websites that are part of the same human rights organization: the Philippines and Hong Kong. It is worth noting that these attacks were discovered due to a free value-added service that comes with VeriSign SSL Certificates, provided in conjunction with our partner Armorize Technologies.
In the case of the attack on the Asian political party’s website, visiting the website caused a backdoor to be installed without the visitor’s knowledge, and because it was a targeted attack, antivirus detection rate against it was very low—0 out of 43 vendors on VirusTotal detected this backdoor: http://www.virustotal.com/file-scan/report.html?id=681c76134a6cfecee07fb2b377d3e748f74ed86d00a8ae24596e63fd8019f637-1305115050
We found that the backdoor connected back to command & control at 203.98.168.29, an IP address in Hong Kong.
The Asian political party’s website was injected with two malicious HTML snippets:
<script src="js/jquery-gui.ajax.js" type="text/javascript"></script>
<script src="js/jquery-ui.ajax.js" type="text/javascript"></script>
These two snippets generated an iframe pointing to different exploits hosted on the Philipinnes human rights website, which we found was also compromised. We just finished working with the organization and remediated the situation.
We discovered there had been more than 10,400 visitors to the compromised Philippines site prior to the fix, all of whom may be infected. We’ve identified a log file which lists the IP addresses, operating systems, locale settings and referers of the victims. The log file suggest that the computers of the website admins are likely to have been infectedby this Web malware (drive-by download).
From the exploits and the file names, it is apparent that the attacker is the same group that targeted the UK human rights group’s website on April 13th. In the UK incident, the attacker used a variation of the drive-by download technique called drive-by cache. Details as to the type of attack can be found here:http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in-new.html
As previously mentioned, the chain of events helped us identify a third website—a human rights website in Hong Kong-- that has recently fallen victim to the same group and is currently serving up malware. The website is still infected as of now, and we’ve been in communication with the website to remediate the issue (this particular site is not a customer).
Summary of events:
April 13, 2011: Human rights website in UK-- we detected this website to be serving malware, leveraging the zero day exploit CVE-2011-0611 (issue was fixed shortly after it was identified). One of the exploits used a uncommon exploitation technique—drive by cache—which helps to further reduce antivirus detection rate, which was 0 out of 40 vendors on VirusTotal. One of the malware was named newsvine2.jp2. Connects back to 182.237.3.105, an IP in Hong Kong.
May 11, 2011: Website of a ruling Asian political party—included an iframe that pointed to Philippines human rights website. The Asian political party’s site was fixed May 12.
Philippines human rights website: was found to be serving malware (fixed as of May 13). The same newsvine2.jp2 is found amongst several malware. Detection rate is 0 out of 43 vendors on VirusTotal. Malware connects back to 203.98.168.29, an IP again in Hong Kong. Exploits included one for CVE-2011-0094, which is rare. From our investigation, this exploit was uploaded to the website on Apr 8th, during which CVE-2011-0094 was still a zero day.
Hong Kong human rights website: currently serving malware. Same technique—drive-by cache with malware named newsvine2.jp2—, and connects back to 59.188.5.19, an IP again in Hong Kong and of the same ASN—AS17444. Working to fix the issue.
A targeted attack works differently from general criminal activity. In a targeted attack, the aim is to infect a specific group of users who access specific sites and not mass-infect websites on a broad scale. Zero day exploits are commonly used in this type of attack as it reduces exposure and prolongs the lifetime of the exploit, whereas a mass infection of random victims would defeat the ultimate goal of targeting a specific set of users. In the case of these specific attacks, we could observe the unique exploits being injected into very few websites of a similar nature targeting a specific group of users.
In this particular case, the chain of incidents all involved injected scripts, exploits, and malware that are only found in a few infected websites, which is rare. The methods and exploits used were also rare and not commonly seen in the wild. Zero day exploits were used. Antivirus detection rates for the installed malware were very low. This all makes us believe that this is a target group aimed at government and human rights websites in particular.
Any organization facing these risks should take care to compose defences that are robust enough to defend against the escalating threats now in play. Symantec recommends the following defences for your web-based infrastructure:
- Host Intrusion Prevention Systems(HIPS) –HIPS technologies let you lock down key servers from unauthorized modifications. Attackers frequently rely on poorly defended web servers as part of their game plan. Protecting these servers helps you to stop these servers from pushing malware at people browsing your site.
- Managed Security Services (MSS) – Many organizations facing these attacks may want to consider outsourcing some of their incident response team to a third party. Managed Security Services Providers allow you to delegate these tasks to experts in threat detection and remediation so that your team can focus on tasks that are core to your group’s mission.
- Automated Malware Scanning -- Symantec’s VeriSign division offers proactive automated scanning for malware as an option for customers that use our SSL certificates. These scans are an excellent way to diligently check for signs of infection coming off your site that may cause unintended harm to people who come to your website.
Posted by Symantec
