HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED ABOUT A MINUTE AGO.
You are here: Home / World Wide Web / Who Hacked the Dalai Lama?
The way to block DDoS.
Neustar offers numerous options for blocking DDoS attacks.
Download the e-book now!
Who's Behind the Dalai Lama Website Hack?
Who's Behind the Dalai Lama Website Hack?
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
AUGUST
13
2013



The Dalai Lama has been hacked. Well, at least his Chinese-language website has. According to Kaspersky Lab experts, a snippet of code on the Central Tibetan Administration website redirects Chinese-speaking visitors to a Java exploit that drops an advanced persistent threat-related backdoor.

In a blog post, Kaspersky's Kurt Baumgartner explained that the attack itself is precisely targeted. An appended, embedded iframe redirects the Chinese-speaking visitors to a Java exploit that maintains a backdoor payload.

"The English and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version," he said. "At this point in time, it seems that the few systems attacked with this code are located in China and the U.S., although there could be more . . . Backdoors detected with the Swisyn verdict are frequently a part of APT-related toolchains, and this one most certainly is."

Watering Hole Attacks

Baumgartner said the Java exploit appears to attack the older CVE-2012-4681 vulnerability, which he called "a bit of a surprise." An actor distributing the original CVE-2012-4681 zero-day Gondzz.class and Gondvv.class in August 2012 used it.

"The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case," he said.

"Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect," he added.

Baumgartner also noted that this threat actor has been quietly operating these sorts of watering hole attacks for at least a couple years along with the standard spearphishing campaigns against a variety of targets that include Tibetan groups.

Is it the Government?

Several security researchers declined to comment on the issue. We asked Rob Enderle, principal analyst at The Enderle Group, for his sense about what is going on. He told us this appears to be another example of governments using hackers to find out what their citizens are doing and attempting to eliminate dissention before it can emerge.

"Since the Dalai Lama is somebody the Chinese government isn't particularly fond of and since they would probably like to know who's visiting that site -- given the target -- you'd assume this is a Chinese government attack," Enderle said.

"You would think criminals that wanted to exploit individuals would probably target a site where rich people go," he added. "If you are a criminal organization would you really spend your time targeting the Dalai Lama's site?"

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
Learn the vulnerabilities your website likely faces: Discover why it probably can't handle a large DDoS attack. Plus, learn how Neustar is an AWS Technology Partner offering the solutions and expertise to keep your site safe. Defend your Internet presence. Download the e-book now!
MORE IN WORLD WIDE WEB
Product Information and Resources for Technology You Can Use To Boost Your Business

ENTERPRISE HARDWARE SPOTLIGHT
Contrite. That best describes Lenovo after the Superfish fiasco and subsequent Lizard Squad attack on its Web site. The PC maker vows to ban bloatware like Superfish, and lead with "cleaner, safer PCs."
NEWSFACTOR.COM
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2015 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.