HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED 11 MINUTES AGO.
You are here: Home / World Wide Web / Who Hacked the Dalai Lama?
Build Apps 5x Faster
For Half the Cost Enterprise Cloud Computing
On Force.com
Who's Behind the Dalai Lama Website Hack?
Who's Behind the Dalai Lama Website Hack?
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
AUGUST
13
2013
The Dalai Lama has been hacked. Well, at least his Chinese-language website has. According to Kaspersky Lab experts, a snippet of code on the Central Tibetan Administration website redirects Chinese-speaking visitors to a Java exploit that drops an advanced persistent threat-related backdoor.

In a blog post, Kaspersky's Kurt Baumgartner explained that the attack itself is precisely targeted. An appended, embedded iframe redirects the Chinese-speaking visitors to a Java exploit that maintains a backdoor payload.

"The English and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version," he said. "At this point in time, it seems that the few systems attacked with this code are located in China and the U.S., although there could be more . . . Backdoors detected with the Swisyn verdict are frequently a part of APT-related toolchains, and this one most certainly is."

Watering Hole Attacks

Baumgartner said the Java exploit appears to attack the older CVE-2012-4681 vulnerability, which he called "a bit of a surprise." An actor distributing the original CVE-2012-4681 zero-day Gondzz.class and Gondvv.class in August 2012 used it.

"The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case," he said.

"Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect," he added.

Baumgartner also noted that this threat actor has been quietly operating these sorts of watering hole attacks for at least a couple years along with the standard spearphishing campaigns against a variety of targets that include Tibetan groups.

Is it the Government?

Several security researchers declined to comment on the issue. We asked Rob Enderle, principal analyst at The Enderle Group, for his sense about what is going on. He told us this appears to be another example of governments using hackers to find out what their citizens are doing and attempting to eliminate dissention before it can emerge.

"Since the Dalai Lama is somebody the Chinese government isn't particularly fond of and since they would probably like to know who's visiting that site -- given the target -- you'd assume this is a Chinese government attack," Enderle said.

"You would think criminals that wanted to exploit individuals would probably target a site where rich people go," he added. "If you are a criminal organization would you really spend your time targeting the Dalai Lama's site?"

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
Waiting in a monster line is rough on customers. Transactions that involve tedious document scanning? Even scarier. Meet the KODAK ScanMate i1150. A smart, responsive little beast from Kodak Alaris that fits easily on a desk or counter--and has an "overdrive" button that devours stacks of 10 even faster. It can even sense a jam and stop in its tracks. Fiercely reliable. Well behaved. Look closer.
MORE IN WORLD WIDE WEB
Product Information and Resources for Technology You Can Use To Boost Your Business
© Copyright 2015 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.