Saturday, 24 December 2011

Amnesty International UK Attacked

Serving up Malware

Wouldn't it be ironic, and not in a wholesome or entertaining way, if the very act of visiting my (loosely) security based blog, and clicking on my very well intentioned Amnesty International sidebar, were to leave you infected with malware of a context-specific kind? Namely Trojan Spy-XR, the kind that spies on the activities of human rights activists, returning the electronic information so obtained to... certain countries...

Okay: China. There is evidence (from this ThreatExpert analysis) that the malicious Java file, currently being served in a cross-site way through a certain genuine but compromised Brazilian automotive website, appears to be associated with China. Brian Krebs reports the malware as belonging to "a notorious family of backdoor Trojans" from that quarter, and Chinese hacking groups are well known to be waging an ongoing campaign against dissident and human rights organizations, to extract personal and logistic information about them.

So ironic or not, that's what might have happened to you, had you clicked the aforementioned sidebar link within the past week or so. Sorry about that.

Mitigated by Unpopularity and... Java

Being unaware of the previous and ongoing targeting of human rights workers by this nefarious scheme and others like it, I had assumed that the relative lack of popularity of the Amnesty site ( rating below 90,000) - not to mention that of my own blog! - made it a comparatively safe cross-link. But today I learned the organization’s site was hacked with a drive-by attack last April, while its Hong Kong website was in November 2010 hacked and seeded with an exploit dropping malware based around a previously unknown IE zero-day vulnerability (see this Websense report). In possible mitigation, these attackers are clearly not out for financial data or gain.

These attacks, as noted by Brian Krebs, serve to highlight the importance of keeping up to date with security patches. In the case of Java, a safer option might be to remove frequently targeted software you don’t really need.

No comments:

Post a Comment