Code on the Central Tibetan Administration website targets Chinese-speaking visitors and installs a backdoor on their systems
Researchers from Kaspersky Labs on Monday reported that the Central Tibetan Administration (CTA) website was compromised, noting that the attackers were highly selective about their victims.
Kaspersky's Kurt Baumgartner, wrote on the company blog that the attack is precisely targeted, as an appended, embedded iframe on the domain redirects visitors to the Chinese version of the website to a Java exploit that delivers a backdoor to the system.
"At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more," he wrote.
According to Baumgartner, the Java exploit being delivered archives, drops and executes the backdoor. Further examination of the code delivered during the attack shows signs of APT related toolchains, suggesting that the CTA compromise wasn't a passive attack, but rather a deliberate one. When the selective targeting is taken into account, this point is solidified.
"The Java exploit appears to attack the older CVE-2012-4681 vulnerability, which is a bit of a surprise, but it was used by the actor distributing the original CVE-2012-4681 0-day Gondzz.class and Gondvv.class in August of last year," Baumgartner noted.
"This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard Spearphishing campaigns against a variety of targets that include Tibetan groups."
According to Kaspersky's records, the actor behind the attack on the CTA website has been active since late 2011.
In April, another Tibetan organization, the Tibetan Homes Foundation, had their website compromised in an attack that targeted Tibetan activists. According to Kaspersky researchers, that attack leveraged malicious Flash files that were signed by certificates stolen in an earlier campaign targeting gaming companies in Southeast Asia.
In February, Tibetan activists were targeted via Twitter with messages urging Free Tibet movement leaders to follow malicious links. Those links led to websites hosting exploits that were previously used in attacks against aerospace firms and payroll processing company.
Read more about data protection in CSOonline's Data Protection section.
This story, "Key Tibetan website compromised" was originally published by CSO.