'Watering hole’ attackers hunt from Reporters without Borders

  • Liam Tung (CSO Online)
  • 23 January, 2013 14:33

The same Internet Explorer 8 flaw that hackers had a zero-day exploit for attacks on a US think thank website last year is now being used for attacks on visitors to human rights websites.

The website of NGO ‘Reporters without Borders’ is the latest launchpad for a so-called ‘watering hole attack’, which have hit numerous human rights website in the past weeks, Avast security researcher Jindrich Kubec wrote in a post Tuesday.

Hackers create a watering hole by injecting malicious code into a website that redirects visitors to an exploit page designed to infect the target with malware. It’s the same method used in a typical drive-by download attack on random visitors, except the watering hole has been selected for the audience it attracts.

While recent watering hole attacks have relied on exclusive zero day flaws to compromise target systems, this one uses a recently patched IE flaw and two patched Java flaws to infect victims, wrote Kubec.

“They act as opportunists and try to take advantage of the time frame between the patch release and the patch application of some users, companies and non-governmental organizations,” he noted.

Features of the attack kit on Reporters without Borders’ website mean it’s likely to have been rigged by the same group behind recent attacks on Tibetan, Uygur human rights websites and political parties in Hong Kong and Taiwan, according to Kubec.

“In our opinion the finger could be safely pointed to China (again)," wrote Kubec.

Ahead of Christmas last year, Chinese hackers were suspected of planting a watering hole that used a zero day flaw to net victims that visited the website of foreign policy think tank, Council on Foreign Relations.

The attack only served an exploit to browsers that run on operating systems using US English, Chinese, Taiwanese Chinese, Russian, Japanese or Korean, according to security firm FireEye.

Symantec noted at the time that the attack would have demanded skills and resources outside most hackers' capabilities.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.