Shadow Server's Steven Adair and Ned Moran have an interesting and detailed write up on the expanded use of "strategic web compromises" that target specific populations of Internet users for intelligence gathering purposes.
The authors note that while cyber criminals make good use of common website vulnerabilities like cross-site scripting and SQL injections to infect as many users as possible with malicious code usually for some monetary gain, the employment of strategic web compromises is intended for use in cyber espionage and data collecting.
"The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in. In the past few years we have witnessed several strategic web compromises of organizations in a variety of fields with a recurring focus on those involved with freedom of speech, human rights, defense, foreign policy and foreign relations. In these cases, normally trusted websites have been compromised to serve up malicious code designed to give backdoor access into the systems of unsuspecting visitors," Adair and Moran explain.
Key to such operations is the use of exploits taking advantage of unpatched vulnerabilities that may as of yet be unknown the authors state, which leaves visitors to the infected websites exposed.
"In general a well patched system will be immune from many of the attacks, but in several cases previously unknown 0-day exploits (no available patch) have found their way onto these sites — in short the average visitor may not have much of a chance to defend themselves."
The authors point out that some of the cyber espionage operations detected recently have been using more widely widespread exploits that have compromised larger populations, such as the OS X FlashBack Trojan, as they present these more narrowly targeted attacks an opportunity for success.
"Macs have been hit fairly hard in recent months, most notably with crimeware via a variant of malware dubbed FlashBack. However, advanced threat malware targeting Human Rights organizations and those in the foreign policy space have also been observed utilizing this exploit to target both OS in more limited attacks."
The authors also note the use of a recently discovered Adobe Flash exploit targeting Windows units to infect websites including the "Center for Defense Information, Amnesty International in Hong Kong, and the Cambodian Ministry of Foreign Affairs.
"In the last few weeks there has been a notable increase in strategic web compromises used to serve the most recent Flash exploit (targeting Windows users). At the time of this writing, several high profile websites are still compromised and serving the most recent Flash exploit. If successful the exploit will drop malware from attackers typically labeled as the advanced persistent threat...”
They caution readers not to visit those websites due to the presence of still active malicious iFrames. Also included in their analysis are active exploits being served up on the following websites:
- International Institute for Counter-Terrorism (ICT)
- American Research Center in Egypt (ARCE)
- Institute for National Security Studies (INSS)
- The Centre for European Policy Studies (CEPS)
"Cyber Espionage attacks are not a fabricated issue and are not going away any time soon. These attackers are not spreading malware through strategically compromised websites to make friends. They are aiming to expand their access and steal data. Communications (primarily e-mail), research and development (R&D), intellectual property (IP), and business intelligence (contracts, negotiations, etc) are frequently targeted and stolen. Take the cyber espionage threat seriously..." the authors conclude.