Cyber spies exploiting Java, Flash flaws
Such activity is often paid for, or sanctioned by, government agencies
By Antone Gonsalves
May 17, 2012 — CSO — Cyber spies have planted Java- and Flash-exploiting malware on Web sites focused on human rights, defense and foreign policy.
Over the last two weeks, the Shadowserver Foundation, a nonprofit group that tracks Internet threats, has discovered several such compromised Web sites that download the malware through visitors' browsers. The malware, which exploits known flaws in Adobe Flash and Java, is aimed at Mac and Windows systems.
Sites that were serving malware as of Monday were for the Center for Defense Information, a research group for U.S. national security; Amnesty International Hong Kong, the Cambodian Ministry of Foreign Affairs, and the International Institute of Counter-Terrorism at the Interdisciplinary Center in Herzliya, Israel, " target="_blank">Shadowserver said. Last week, security vendor Websense reported that the site of Amnesty International United Kingdom was serving Java-exploiting malware.
Such targeted attacks have become a major problem for corporations, particularly those within the defense industry or manufacturing. In its 2011 annual security report, network equipment maker Cisco found that cyber criminals were moving from large-scale attacks using spam to working for organizations that pay handsomely for electronic documents stolen from particular international corporations and law firms, government agencies and research organizations.
"It's a very prevalent attack right now," Liam O Murchu, manager of Symantec's Security Response Operations, said. "We've seen large increases in these types of attacks in the last year."
To protect themselves, Symantec advises companies to isolate the kind of data that would be a target in a cyber-espionage campaign, and then monitor it to see who is accessing it, how they are accessing it and whether there is unusual activity, such as the movement of large amounts of data.
In the latest attacks, the malware opens up a backdoor in infected systems, in order to receive commands from a control server located in a remote location. The server also receives stolen data. In the case of the Amnesty International sites, Shadowserver believes the hackers responsible for compromising the Hong Kong site were also involved in infecting the U.K. site.
The Flash-exploiting malicious code in the CDI site was traced to attackers known to engage in cyber-espionage, Shadowserver volunteers Steven Adair and Ned Moran said in its blog Tuesday. "This threat group appears to be interested in targets with a tie to foreign policy and defense activities."
In the last few weeks, Shadowserver has discovered other sites compromised by the same attackers. Those sites included the American Research Center in Egypt, the Institute for National Security Studies in Israel and the Centre for European Policy Studies. All the sites have since been cleaned of malware.