Spearphishing attacks against Tibet impersonate security vendor that raised alarm
Chinese spears attack Tibetan activists
Following detection of spearphishing attacks against Tibetan organisations, further attacks have been detected that claim to be from AlienVault.
The initial detection by AlienVault of spearphishing attacks from China was announced two weeks ago; the attacks contained a malicious PDF with a variant of Gh0st RAT (a remote-access Trojan) and exploited a known vulnerability in Microsoft.
However, the company's labs have now detected efforts by attackers to spoof AlienVault email addresses in an attempt to make their messages more realistic.
Jamie Blasco, head of labs at AlienVault, called this "a case of imitation being the sincerest form of flattery".
He said: “The fact that the pro-Chinese sympathisers have taken our research seriously enough to start trying to blacken our name indicates that our message about the Chinese cyber attackers has hit home, and the cyber criminal activists are not happy.
“While the pro-Chinese sympathisers are clearly trying to tarnish AlienVault's reputation with their actions, I'm very happy the message is getting through to the media that the ongoing cold war between China and Tibet has spilled over into cyber space.
“We have seen Tibetan sympathisers turn to self-immolation in their quest to bring their plight to the attention of Western governments, so any effect on our reputation pales into insignificance alongside their sacrifices.”
The emails come from ‘firstname.lastname@example.org' with a subject line of "Targeted attacks against Tibet organisations" and contain a malicious payload that loads a Java applet, which exploits CVE-2011-3544.
Blasco said: “Our research suggests that the attacks we have been tracking over the past month are linked to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The spearphishing emails are quite sophisticated and feature an attachment that exploits a stack overflow vulnerability dating back to last September.
“Yes, AlienVault has effectively been drawn into the cyber conflict itself, but we plan on continuing to report on this humanitarian cause for as long as it takes. Our email spoofing problems are nothing compared with the problems that Tibetans are facing.”
Blasco also said that automated bots are being used to spam Twitter users with hashtags related to the issue, including #tibet and #freetibet; the junk tweets are from automated Twitter accounts controlled by the Chinese government or its sympathisers.
Security researcher and blogger Brian Krebs also spotted this flood of Twitter spam, and said that it was not clear how long ago the bogus tweet campaigns began; he said the hashtags are now so associated with junk tweets from apparently automated Twitter accounts that they have ceased to become a useful way to track the China-Tibet situation.
Krebs said: “Twitter was very responsive to the botted accounts being used to drown out hashtags following the disputed Russian elections, but these anti-Tibetan Twitter bots appear to have flown under the radar so far.
“When I checked the situation on Monday (19 March) evening, the bunk tweets aimed at popular Tibetan hashtags were still going strong. It's not immediately clear how many apparently botted accounts are being used to blast these tweets; most of them have zero, if any, followers, and are following very few other accounts. Twitter has been notified about a couple of dozen accounts that appear to be the source of most of these junk messages.”