Amnesty International Website Serves Malware For Two Days

The Amnesty International UK website was compromised for two days, serving up the nasty Gh0st RAT tool.

The Remote Administration Tool is mainly used in targeted attacks, as it lets cybercriminals take complete control over an infected system, letting them steal victims’ passwords, emails and data.

All users had to do to get infected with the malware was visit the website, which has now been cleaned after security company Websense reached out to Amnesty International.

This is not the first time an Amnesty International website has been hit. Websense found the same site had been compromised in 2009, whilst the Hong Kong arm of the charity was injected with dirty code in 2010.

Amnesty for hackers?

It is unknown how the site was infected this week, but Websense suspects it could be hackers taking advantage of a flaw in the content management system (CMS) being used by Amnesty International UK.

Carl Leonard, security research manager at Websense, told TechWeekEurope his company has seen widespread use of scanners to see which software websites are using. They then find flaws and point exploit kits at them in order to compromise them. In the case of Amnesty International, it appears it was hit as part of a wider attack methodology such as this.

“We’re not saying that Amnesty International themselves were specifically targeted because we did see over 100 websites also hosting the same code. So there’s definitely something on these 100 websites where an issue is resident and the malware authors are seeking to exploit that. There’s some commonality across those websites,” Leonard said.

“It could be a CMS issue, it could be a database issue. We’re still looking into seeing what that commonality might be.

“There’s certainly something common across them that allows the malware authors to not only deploy the exploit kit but also upload the malicious payload file.”

Leonard said he had been in touch with VeriSign to see if it can investigate the certificate of the Gh0st RAT file being delivered. That certificate appeared to have been signed by the Chinese certificate authority (CA) Tencent. That certificate has also “been in use for a while and does not appear to have been revoked at the time of this latest exploit activity,” Websense said. It looks as though it will be valid until 26 January 2013.

This means that somewhere in the certification process, there has been a snafu. That could either be a mistake from the original CA, or a hacker may have compromised a CA to give themselves some fraudulent certificates, allowing them to dodge security products. The company using the certificate may also have made a mistake, but Leonard said it is unlikely the mystery will be solved.

Unfortunately, it appears many traditional anti-virus products are not protecting against this threat, Leonard said. “It is not great news. There was very low protection offered by traditional AV. The situation has not improved that much over the last few days,” he added. “The site is clean, but the actual harm could have already been done two days back.”

Are you a security expert? Try our quiz!