It's the second such zero-day attack uncovered by FireEye within a week, following the Operation Snowman campaign.
In a 20 February blog post, FireEye said the new attack, dubbed “Operation GreedyWonk”, used a previously unknown vulnerability in the latest version of Adobe Flash to infect the websites of three organisations: the American Research Center in Egypt, the Smith Richardson Foundation and the Peter G Peterson Institute for International Economics.
Unsuspecting users were redirected to an exploit server where they were served with the zero-day malware. Two of the affected organisations focus on security and public policy matters, and FireEye said users were infected for the likely purpose of follow-on data theft of information relating to defence and public policy.
FireEye is linking the attack to a previous campaign, revealed by the Shadowserver Foundation in May 2012, which compromised similar government, defence and ‘policy wonk' organisations, including the Israeli International Institute for Counter-Terrorism, the Centre for European Policy Studies, the US Center for Defense Information, the Cambodian Ministry of Foreign Affairs, Amnesty International Hong Kong and - once again - the American Research Center in Egypt.
Ned Moran, senior malware researcher at FireEye, told SCMagazineUK.com via email the two campaigns were consistent in their tradecraft, attack infrastructure and malware configuration properties.
FireEye does not directly identify the cyber spies involved, but David Bailey, CTO of cyber security at BAE Systems Applied Intelligence (formerly Detica), told SCMagazineUK.com: “We believe the threat actors originate in China, though cannot say who is funding them.”
Moran at FireEye was less forthright. He said the existence of English and Chinese addresses in the attack code “simply highlights that the attackers were only targeting the endpoints with the listed languages. It does not prove that the origin was in China”.
But Bailey at BAE believes the group are no ordinary criminals, based on the resources they have used in their past and present campaigns.
He said: “This is the latest iteration of a campaign going back to at least 2011 which uses zero-day exploits to target visitors to websites of strategic organisations. They are remarkably consistent at discovering new vulnerabilities in popular software, such as the Adobe products, and then using these to launch cyber espionage attacks.
“Given a typical zero-day vulnerability is worth over £100,000 in criminal markets, the groups using these zero-days are clearly motivated by more than personal financial gain.”
FireEye said the latest attack only hurts three types of users: those with Windows XP, with Windows 7 and Java 1.6, and with those running Windows 7 and a not-fully-updated version of either MS Office 2007 or Office 2010.
People with other configurations are safe and FireEye is urging users at risk to upgrade from XP and to update Java and Office.
In response, Adobe has rushed out a fix for the Flash vulnerability concerned, identified as CVE-2014-0502, as well as two other flaws.
Meanwhile, following the ‘Snowman' attack, Microsoft has issued a patch for the affected versions 9 and 10 of Internet Explorer.
But security expert Brian Honan, of BH Consulting, believes vendors need to do more, calling such patches a “whack-a-mole type defence”.
He told SCMagazineUK.com: “While patches can address specific security vulnerabilities they do not address the underlying problem that the software and systems we employ on a day-to-day basis may not be developed securely. To minimise security vulnerabilities we need vendors to completely rewrite their applications in a secure manner. However, this may not be practical in many cases and we will continue to try and play a whack-a-mole type defence of fixing bugs when they appear.”
As a result, Honan advised: “Organisations should look at their infrastructure to see where their core systems are and look at other ways to defend those systems other than relying on patching vulnerabilities. Proactive monitoring of system and security logs can help quickly identify suspicious behaviours. Likewise identifying unusual traffic patterns in your network could indicate that your systems have been compromised.”
Security expert Wolfgang Kandek, CTO of Qualys, said in an email to journalists that users with the targeted combinations of Windows, Java 1.6 and Office should update to the newly patched version of Adobe Flash as quickly as possible. He said: “Others can roll out this patch on a normal schedule, but need to be aware that attackers may switch their tactics at any time to abuse other software packages that also leak memory locations.”
Kandek added: “Microsoft has updated advisory KB2755801 which centralises the Flash updates in Internet Explorer 10 and 11. Users of IE10 or IE11, as well as Google Chrome do not need to update Adobe Flash separately, but instead it is handled through their browsers automatically.” This advisory is at https://technet.microsoft.com/en-us/security/advisory/2755801.
FireEye first spotted the Adobe Flash-based attack on 13 February when it affected users of the Peter G Peterson Institute website. Its blog concluded: “This actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.”
BAE's Bailey believes the spies are hounding non-profit political bodies because they are soft targets. He told us:
“Think tanks and NGOs, who don't have big budgets for security, have found themselves on the front line of cyber-attacks. These organisations face the same challenges in protecting their information and reputation as larger players but they have the challenge of finding security partners with services and solutions that improve their defences whilst not breaking the bank.”