GMA News Online SciTech » Technology

Hackers may be targeting non-government organizations with a series of backdoor attacks, a computer security firm warned this week.

 

Trend Micro said it has found evidence that Amnesty International (AI), whose UK website was attacked recently, is "not the only intended target for the attack."

 

"Based on our investigation, it seems that the initially reported affected organization is just one of the targets in this attack and that the attack itself is fashioned specifically for the targets," it said in a blog post.

 

It cited earlier reports the attack on AI's website involved an iframe that redirected users to another compromised site in Brazil.

 

The site executed a malicious Java applet detected as JAVA_DLOAD.ZZC, which exploits vulnerability in Java.

 

According to Trene Micro, the attack drops BKDR_PPOINTER.SM, which connects to a certain URL to send and receive commands from the attacker.

 

"It is also capable of gathering certain information about the affected system," Trend Micro said.

 

A separate blog post by security researcher Brian Krebs late December said AI's homepage in the United Kingdom had served malware that exploits a recently-patched vulnerability in Java.

 

"Security experts say the attack appears to be part of a nefarious scheme to target human rights workers," he said.

 

On the other hand, Trend Micro said a further analysis of the attack on AI shows the code of the file retrieved from the URLs indicate that it was a payload specifically intended for the human rights organization, as it has related strings mentioned in its code.

 

It added Trend Micro Researcher Nart Villenueve checked on this, and "found other folder and file combinations hosted on the same compromised website, but with different strings."

 

"This strongly suggests the existence of other targets," it said.

 

Targeting Amnesty International

 

Trend Micro said AI's home page had been a target at least a couple of times within the past several months, "showing how determined cybercriminals are to target the frequent visitors of this site."

 

As of this week, it said the site has been cleaned of the malicious code.

 

"Site owners of special interest sites catering to particular demographics, organizations or groups of like-minded individuals should be just as cautious about these kinds of attacks as corporations and businesses," it said.

 

Krebs added this was hardly the first time AI's sites have been hacked to serve up malware.

 

"The organization’s site was hacked in April 2011 with a drive-by attack.  In November 2010, security firm Websense warned Amnesty International’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown Internet Explorer vulnerability," he said.

 

He said the UK site is not particularly popular, with its global rank is 90,203 according to Alexa.com.

 

"It appears more likely that the exploit maybe part of an ongoing campaign by Chinese hacking groups to extract information from dissident and human rights organizations," he said.

 

Malware from China?

 

Also, Krebs noted an earlier attack against the Amnesty International’s Hong Kong site loaded malware that belongs to a notorious family of backdoor Trojans from China.

 

He said a ThreatExpert analysis of the malicious Java file currently being served by Amnesty’s UK site indicated the malware downloaded "appears to be associated with China."

 

Paul Royal, a research consultant with Barracuda Networks, said the attack fits the profile of previous campaigns against human rights non-governmental organizations.

 

Citing an email from Royal, he said certain countries "use zero day exploits and other techniques to gain electronic information about the activities of human rights activists.”

 

“Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant,” he quoted Royal as saying. — TJD, GMA News