Spy malware buried on official Tibetan website
Researchers have identified a new "watering hole" APT attack.
Chinese-speaking individuals visiting the website for the Central Tibetan Administration are being targeted with a Java exploit that installs advanced malware on their machines.
According to researchers at security firm Kaspersky Lab, the official site for the Tibetan government-in-exile, led by the Dalai Lama, was seeded with a backdoor that takes advantage of a vulnerability in Java, CVE-2012-4681, which was fixed by Oracle roughly a year ago.
The incident bears the signature of a watering hole attack, in which espionage malware is planted on a legitimate site, and then the attackers wait for their desired victims to visit and take the bait.
"The attack itself is precisely targeted," Kurt Baumgartner, principal security researcher at Kaspersky Lab, wrote in a blog post on Monday. "[A]n appended, embedded IFRAME redirects visitors to a Java exploit that maintains a backdoor payload."
Researchers said the attackers have employed certain tricks in this campaign, including functionality that allows them to download the payload in an encrypted format.
"This threat actor has been quietly operating these sorts of watering-hole attacks for at least a couple of years and also the standard spear phishing campaigns against a variety of targets that include Tibetan groups," Baumgartner said.
The English and Tibetan language versions of the site were not affected. It's unclear who is responsible for the attack, but China has been fingered as the culprit in the past.