Forbes website used as a watering hole by Chinese Hacking group ‘Codoso Team’

Another cyber espionage attack has come to light and unsurprisingly, it has been linked with Chinese hackers. The newly identified attack is a watering hole attack targeted on one of the world’s biggest business and news website, Forbes.com.

Users, using Internet browser who visited Forbes.com on the four days following Thanksgiving were open to be hacked, two cybersecurity firms said Tuesday.

The companies, iSight Partners and Invincea, said hackers who allegedly belong to the Chinese hacker group Codoso Team, had reprogrammed Forbes’ “Thought of the Day” widget to send malicious computer code to readers’ computers.

Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole
Example of the Thought of the Day widget on Forbes website

Watering Hole

A watering hole attack is an attack in which the hackers infect a website – typically a major website as in this case – and every visitor to that website is infected with a malware. Security researchers from  iSIGHT Partners and Invincea say that this appears to be the handiwork of a long-running group they call Codoso Team, which has also been named as Sunshop Group.

The campaign against Forbes.com was made possible by a zero-day attack that strung together an Adobe (not again sic!) vulnerability with a bypass vulnerability in Microsoft’s ASLR technology for Internet Explorer, which Microsoft has patched today.

The researchers found that the attack occurred over a couple of days following the Thanksgiving holiday in the US. In addition to attacking properties of the website, the Thought of the Day widget on Forbes.com was also infected with the intention of exploiting the aforementioned Flash vulnerability and causing users to download malware. A surprising aspect of this attack is that even though Forbes.com has a huge appeal globally, the targets of the hacking group were specific. The specific nature of their targets is what lead the researchers to believe that the attackers might be Chinese. The hackers seem to be targeting Chinese dissident groups, defense sector firms and other political and commercial targets.

“So what’s really interesting about this is it separates a lot of cyber espionage activity from say criminal activity.  These guys don’t typically just put drive-bys anywhere,” says John Hultquist, senior manager of cyber espionage threat intelligence for iSIGHT.  “They don’t want anybody’s information.  What they want is information associated with the requirements that they have.  Usually those requirements are gathering intelligence on intellectual property, gathering strategic intelligence, gathering information on say dissidents or security issues that they’re working.”

History

The first time this group was identified was in 2013 by FireEye although they are supposed to have been operating in the wild from 2010.  This group has been heavily depending on the Derusbi malware to carry out its attacks much like another group named Deep Panda. These two groups share similar techniques, but researchers believe them to be two separate groups.  Hultquist says:

“You may remember in 2010 the prize was actually awarded to a noted Chinese dissident. Shortly after that these operators went in, popped the website, and used that website to serve up exploits to visitors, again a very targeted concept.  Since then they don’t only operate this way or through this manner, they’re also carrying out targeted spearphishing attacks.”

Identification

Anup Ghosh, CEO at Invincea says, his team first noticed the attack through a defense contractor. As mentioned, the group was surprised to find an attack targeting specific people. He also adds, that this attack is unique due to its use of a chaining of zero-day exploits. Not only was it attacking a Flash zero-day, but it was also leveraging a zero-day in ASLR to bypass that mitigation technique.

“Effectively in modern operating systems and browsers there is a layer of technology that Microsoft has added to the mix that really makes it much more difficult for a particular exploit to figure out what address base it’s operating in.  So it makes it more difficult or nearly impossible to execute a buffer overflow,” explains Patrick McBride, vice president at iSIGHT. “In this case the team was able to exploit that ASLR, get outside of that box, if you will, and then directly exploit the flash vulnerability. “

Resource : iSIGHT Report and Invincea Report

LEAVE A REPLY

Please enter your comment!
Please enter your name here