Cyber spies have planted Java- and Flash-exploiting malware on websites focused on human rights, defence and foreign policy.
Over the last two weeks, the Shadowserver Foundation, a nonprofit group that tracks internet threats, has discovered several such compromised web pages that download the malware through visitors' browsers. The malware, which exploits known flaws in Adobe Flash and Java, is aimed at Mac and Windows systems.
Sites that were serving malware at the beginning of this week were for the Center for Defense Information, a research group for US national security; Amnesty International Hong Kong, the Cambodian Ministry of Foreign Affairs, and the International Institute of Counter-Terrorism at the Interdisciplinary Center in Herzliya, Israel, Shadowserver said. Last week, security vendor Websense reported that the site of Amnesty International United Kingdom was serving Java-exploiting malware.
Such targeted attacks have become a major problem for corporations, particularly those within the defence industry or manufacturing. In its 2011 annual security report, network equipment maker Cisco found that cyber criminals were moving from large-scale attacks using spam to working for organisations that pay handsomely for electronic documents stolen from particular international corporations and law firms, government agencies and research organisations.
"It's a very prevalent attack right now," Liam O Murchu, manager of Symantec's Security Response Operations, said. "We've seen large increases in these types of attacks in the last year."
To protect themselves, Symantec advises companies to isolate the kind of data that would be a target in a cyberespionage campaign, and then monitor it to see who is accessing it, how they are accessing it and whether there is unusual activity, such as the movement of large amounts of data.
In the latest attacks, the malware opens up a backdoor in infected systems, in order to receive commands from a control server located in a remote location. The server also receives stolen data. In the case of the Amnesty International sites, Shadowserver believes the hackers responsible for compromising the Hong Kong site were also involved in infecting the UK site.
The Flash-exploiting malicious code in the CDI site was traced to attackers known to engage in cyberespionage, Shadowserver volunteers Steven Adair and Ned Moran said in its blog earlier this week. "This threat group appears to be interested in targets with a tie to foreign policy and defense activities."
In the last few weeks, Shadowserver has discovered other sites compromised by the same attackers. Those sites included the American Research Center in Egypt, the Institute for National Security Studies in Israel and the Centre for European Policy Studies. All the sites have since been cleaned of malware.
In recent months, Shadowserver has seen malware exploiting zero-day vulnerabilities in cyberespionage attacks. "Frequently by the time a patch is released for the vulnerabilities, the exploit has already been in the wild for multiple weeks or months - giving the attackers a very large leg up," Adair and Moran said.
Adobe and Oracle, which manages Java, have issued patches for the holes in their respective products. Cybercriminals often target known flaws, gambling that many people are on the web with unpatched systems. Such an assumption is often correct. In general, up to 60% of Java installations are never updated to the latest version," according to security vendor Rapid7.
The Java vulnerability in the latest attacks was the same exploited last month by hackers in infecting 600,000 Mac computers. Apple was criticised for not releasing a patch until six weeks after it was available for Windows systems.
The latest cyber espionage activity has the same goal as similar attacks, which is to steal data. Targets typically include e-mail communications, research and development documents, intellectual property and information on contracts and business negotiations. Such activity is often paid for or sanctioned by government agencies. International companies are also suspected of hiring hackers to spy on rivals.
"It is important to note that there is not a single monolithic group responsible for all of these attacks," Adair and Moran said.