Last month we wrote about a flaw in Microsoft’s Internet Explorer that could allow cybercrooks to take control of a Windows-based computer if the user browses to a malicious website. The website making news for that attack was the US-based think tank, the Council on Foreign Relations (CFR). Avast Virus Lab has since discovered that two Chinese human rights sites, a Hong Kong newspaper site, a Russian science site, and weirdly, a Baptist website (see the recent tweet) are also infected with the Flash exploit of IE8.
You can imagine the interesting audience that frequents sites such as these. The CFR, for example, attracts high ranking government officials including former presidents and secretaries of state, ambassadors, journalists, and leaders of industry. These sites were chosen on purpose; instead of targeting the general masses, like in a phishing attack, the perpetrators of a so-called “watering hole attack” target specific topics like defense or energy and lie in wait for persons of interest to visit, similar to a predator at a watering hole waiting for its victims to come to it.
“The whole point of the waterhole tactic is that they believe such sites, although usually not with high numbers of users, will have interesting visitors,” said Jindrich Kubec, Avast Virus Lab’s Director of Threat Intelligence. Kubec said Avast’s CommunityIQ, millions of users working as “global sensors” to detect new threats, reported detections on the new sites in December. “At least two of the sites use the same spyware binary with exactly same configuration,” said Kubec. “The rest look a bit different, but we haven't investigated it thoroughly yet.”
Some of the current infected sites are linked to hackers working for or with the Chinese government. This seems to confirm experts' opinions that state-sponsored hacker groups wanting to penetrate a specific organization are behind the attacks and their goal is to gather business or military intelligence.
“We’re starting to see nation-state resources and expertise employed in what we would characterize as reckless and disruptive, destructive behaviors,” said the head of the National Security Agency’s Information Assurance Directorate in a speech during fall of 2012. Even during the Cold War, blocs of nations allied with the US or the Soviet Union worked to undermine each other, but operated within boundaries, she said. “Some of today’s national cyber actors don’t seem to be bound by any sense of restraint.”
We advise users to update their browser to a newer version of Internet Explorer (9 and 10 are not affected), or to switch to a more secure browser such as Google Chrome or Mozilla Firefox. Microsoft has released a Fix it solution for Security Advisory 2794220. This Fix it solution prevents the vulnerability from being used for code execution without affecting your ability to browse the Web.