Hackers have hit the website of the Central Tibetan Administration, the Tibetan government-in-exile established by the Dalai Lama in 1959 after he was forced out of Tibet, according to Kaspersky Lab Senior Security Researcher Kurt Baumgartner.
They installed some code that redirects visitors from Chinese-language websites to a Java exploit that drops a backdoor into their PCs.
The attack exploits an old Java vulnerability. Oracle issued a patch last year, which should have been implemented by CTA’s IT staff by now.
Criminals “are still using patched bugs because there are people who fail to update because of various reasons,” Bogdan Botezatu, senior e-threat analyst at Bitdefender, told TechNewsWorld. “There are also companies who do not apply updates in a timely fashion … to assess the impact of the new version within their ecosystems.”
The fact that the attack is specifically targeting visitors to the Chinese-language section of the site “implies that perhaps the attacker is fishing for information on Chinese nationals who are attempting to bypass the Great Firewall, or nationals abroad,” speculated Richard Henderson, security strategist and threat researcher at Fortinet’s FortiGuard Center.
The Central Tibetan Administration, based in Dharamshala, India, did not respond to our request for further details.
More on the Vulnerability
The exploited vulnerability exists in the Java Runtime Component in Oracle Java SE Update 6 and earlier, according to the National Vulnerability Database.
Known as “CVE-2012-4681,” it lets remote attackers execute an arbitrary crafted applet that bypasses security restrictions. It was exploited in the wild in August of last year.
“The target likely wasn’t worth spending a fresh zero-day exploit on,” FortiGuard Labs’ Henderson told TechNewsWorld.
What Kaspersky Lab Saw
Only a few visitors’ PCs have been attacked so far, Kaspersky’s Baumgartner said.
Visitors to the Chinese-language version of the CTA’s website are redirected to the Java exploit, which Baumgartner identifies as “YPVo.jar.” He named the backdoor, which is hidden in the jar file, the “Trojan.Win32.Swisyn.cyxf.”
The backdoor is a part of a toolchain related to an advanced persistent threat, or APT, Baumgartner said.
The payload opens a remote backdoor on infected PCs that lets attackers seize full control over them with privileges inherited from the user, suggested Bitdefender’s Botezatu. The backdoor can also be used to install additional software on infected PCs.
“The exploit has been used in a similar manner in the recent past to very good effect,” Baumgartner told TechNewsWorld.
Attackers have been operating this type of watering hole attack for at least a couple of years. They have also launched spearphishing campaigns against various targets, including Tibetan groups, since about 2011, according to Baumgartner.
Hackers launched Java exploits against Apple using a more recent vulnerability, CVE-2013-2423.
Name That Malware!
Most antivirus vendors detect the backdoor as variants of gaming password stealers, which is “flatly incorrect,” Baumgartner pointed out.
That could be because the attacker may have hit gaming systems first.
“Because there is a lot of money to be made in the compromising of online gaming accounts, it’s likely the first blips on the radar were due to a large explosion of malware that was crafted to specifically steal online gaming credentials,” Fortinet’s Henderson commented.
An online games password stealer “does not raise any red flags within an organization,” and this lets a high-profile attack fly under the radar and get labeled as a lower class of incident, warned Bitdefender’s Botezatu.
“That is the entire philosophy behind a targeted attack. Until the sample is manually investigated, one does not fully understand the impact [it] has on a company or organization,” Botezatu concluded.
It is difficult to conclusively state who is behind an APT attack, but “in this case, it’s not unreasonable to point the finger at the Chinese government,” said Henderson, “as they have a clear motive for doing this.”
Beijing reportedly has denied involvement in the attack.