14 DAY TRIAL // After a UK human rights website was infected with a Flash zero-day exploit, security researchers from Symantec discovered two more similar sites compromised in Philippines and Hong Kong.
The drive-by download attack on the UK human rights site was discovered by web security vendor Armorize back on April 13th.
The compromised website was infecting visitors with a piece of malware by exploiting a zero-day vulnerability in Flash Player (CVE-2011-0611) and using a not-so-common technique known as drive-by caching.
Symantec found a similar infection serving the exact same malware through the same exploit on the website of a ruling Asian political party.
The exploits were loaded from a compromised website belonging to a human rights group from the Philippines.
"From the exploits and the file names, it is apparent that the attacker is the same group that targeted the UK human rights group’s website on April 13th," the Symantec researchers conclude.
The Asian political party's website was fixed on May 12 and the Filipino human rights one on May 13. Investigations determined they had been infected with the Flash exploit since April 18, when it was still a 0-day.
In addition, Symantec researchers discovered another infection having the exact same characteristics on a human rights website in Hong Kong. The site is still compromised and continues to infect visitors.
In all three cases the deployed malware had a zero antivirus detection rate on Virus Total and reported back to IP addresses located on the same network in Hong Kong.
"The methods and exploits used were also rare and not commonly seen in the wild. Zero day exploits were used. Antivirus detection rates for the installed malware were very low. This all makes us believe that this is a target group aimed at government and human rights websites in particular," says Gary Krall, technical director at Symantec.