Visitors to Forbes.com, one of the world's most heavily used news sites, are being warned that they may have been targeted by Chinese state hackers who planted malware on the ‘Thought of the Day' page that greets everyone arriving at the site.
According to US security firm iSIGHT Partners, the Chinese ‘Codoso' cyber-spy group used a lethal combination of two zero-day bugs - an Adobe Flash flaw and an Internet Explorer zero-day which Microsoft patched only yesterday – to target Forbes users.
iSIGHT, and fellow research firm Invincea which also spotted the attack, believes it was aimed solely at visitors from US defence and financial firms. But iSIGHT admits this isn't certain, potentially putting “vast” numbers of people worldwide at risk.
In a 10 February blog, iSIGHT senior marketing director, Stephen Ward, said it discovered the watering-hole campaign in late November 2014, attacking not only Forbes.com but other “more obscure” websites worldwide.
iSIGHT spotted the Forbes attack happening between 28 November and 1 December, but Ward said “there is a possibility of a longer duration of activity”.
He also admitted: “We do not believe this to be an operation intent on infecting millions of victims, but we cannot state with certainty true numbers.
“Based on the use of the Forbes.com website – ranked as the 61st most popular in the US and 168th most popular in the world by the Alexa ranking service – it is possible the reach of this campaign could be vast.
“It may include business and industry leaders, investors and other individuals at Fortune 500 companies and beyond.”
Invincea was more reassuring in a 10 February blog on the campaign, which it discovered when it blocked an attack on one of its customers from “a US defence industrial base company” visiting Forbes.com.
Invincea insisted: “Given the highly trafficked Forbes.com website, the exploit could have been used to infect massive numbers of visitors. In fact it was not used for that purpose.
“Across Invincea's large footprint of over 20,000 firms, Invincea and iSIGHT can confirm only certain US defence and financial services firms were targeted with this exploit from Forbes.com during this time period.”
Meanwhile, there seems little doubt about the mechanics of the attack. ISIGHT's Stephen Ward said the ‘Thought of the Day' page was compromised using an Adobe Flash zero-day vulnerability (CVE-2014-9163) that was subsequently patched on 9 December.
On modern operating systems, this Flash flaw was paired with a mitigation bypass in Internet Explorer. iSIGHT said that, on its own, the IE bypass (CVE-2015-0071) posed no risk. But Microsoft released a patch yesterday “in order to provide an extra layer of protection against future attacks”.
iSIGHT and Invincea deliberately held off talking about the attack until Microsoft could issue this patch.
iSIGHT lists several reasons for believing Codoso was behind the attack, including the fact that “the command and control (C&C) domain used was connected to tiiztm.com, a domain leveraged in several Chinese cyber espionage incidents associated with Codoso Team”.
It added: “The malware leveraged in the incident included resources written in simplified Chinese and bore a resemblance to variants of Derusbi, malware unique to Chinese cyber espionage operators.”
iSIGHT said it has been tracking Codoso – also known as the ‘Sunshop Group' by FireEye – since at least 2010. The group is known to target multiple industries including defence, finance, energy, government, political dissidents and think tanks.
But Forbes itself has so far refused to accept the attack was definitely carried out by the Chinese. Its digital crime writer, Tom Fox-Brewster, said in a 10 February report: “In late November, Forbes.com was hacked. If cyber-security firms are right, Chinese hackers are to blame, but there's not enough evidence to guarantee attribution just yet.”
Likewise, Tim Erlin, director of security and risk at Tripwire, saw the attack as more criminal in nature than geared towards state espionage.
He told SCMagazineUK.com via email: “While the technical details point to Chinese state origins, this type of broad-based watering hole attack is more typical of criminal enterprises who are interested in compromising a large number of hosts.
“It's possible that the Codoso Team has some special interest in the specific demographic of Forbes readers, but the Forbes website is hugely popular and the attack not particularly discerning.”
Similarly, Clinton Karr, senior security strategist at Bromium, told SCMagazineUK.com via email: “There is no reason to believe this is a state-sponsored attack. Spear-phishing attacks are much more specialised and targeted than the broad audience of Forbes. That these attacks are using recent zero-day attacks also suggests a less sophisticated and more opportunistic hacker.”
Forbes' Tom Fox-Brewster added: “There haven't been any reported cases of successful exploitation, though they could exist. The attackers have not been able to establish any foothold on Forbes' network.”