Forbes.com – the 61st most popular website in the US according to Alexa – has been compromised to redirect certain visitors to websites delivering espionage malware.
The compromise lasted from 28 November to 1 December, 2014, and according to both iSight Partners and Invincea researchers, the targeted visitors were those working for US defense contractors and financial services companies.
“In late November 2014, a United States Defense Industrial Base company encountered an intrusion attempt while visiting the Forbes.com website. That attack was detected and thwarted by Invincea’s Advanced Threat Protection endpoint product, FreeSpace, even as the attack evaded several layers of network defenses at the company and in spite of the attack employing 0-day exploits,” Invincea researchers explained.
“The attack was executed against specific targets by compromising the Forbes.com Thought of the Day (ToTD) Adobe Flash widget that appears initially whenever anyone visits any Forbes.com page or article. Our analysis concluded that this widget was compromised using a Flash 0-day exploit to gain control of unsuspecting users’ machines within targeted firms.”
“Further analysis by iSIGHT Partners revealed that the exploit employed an additional 0-day bypass mitigation vulnerability in Internet Explorer (CVE-2015-0071), when needed, in order to bypass Address Space Layout Randomization (ASLR) protections available in IE version 9+.”
Both of these vulnerabilities have been patched – the Flash 0-day on December 9, 2014, and the IE one this Tuesday.
“In the world of cyber threats, the chained 0-day exploit is a unicorn – the best known attack with chained 0-days was the Stuxnet attack allegedly perpetrated by US and Israeli intelligence agencies against Iran’s nuclear enrichment plant at Natanz as part of an operation known as Olympic Games,” they explained.
iSight Partners are reasonably sure that the group behind these attacks is the Chinese cyber espionage team dubbed Codoso Team (also known publicly as Sunshop Group), as the malware leveraged in the incident resembles variants of Derusbi, which is unique to Chinese cyber espionage operators; the C&C domain is connected to a domain leveraged in several campaigns associated with the Codoso Team; at least three additional sites also hosted the same exploit prior to its public disclosure, and these sites are associated with Chinese dissident issues; and the Codoso Team is regularly exploiting zero-day vulnerabilities in their attacks, and has shown a preference for watering hole attacks.