The Amnesty International UK website was compromised for two days, serving up the nasty Gh0st RAT tool.
The Remote Administration Tool is mainly used in targeted attacks, as it lets cybercriminals take complete control over an infected system, letting them steal victims’ passwords, emails and data.
All users had to do to get infected with the malware was visit the website, which has now been cleaned after security company Websense reached out to Amnesty International.
This is not the first time an Amnesty International website has been hit. Websense found the same site had been compromised in 2009, whilst the Hong Kong arm of the charity was injected with dirty code in 2010.
It is unknown how the site was infected this week, but Websense suspects it could be hackers taking advantage of a flaw in the content management system (CMS) being used by Amnesty International UK.
“We’re not saying that Amnesty International themselves were specifically targeted because we did see over 100 websites also hosting the same code. So there’s definitely something on these 100 websites where an issue is resident and the malware authors are seeking to exploit that. There’s some commonality across those websites,” Leonard said.
“It could be a CMS issue, it could be a database issue. We’re still looking into seeing what that commonality might be.
“There’s certainly something common across them that allows the malware authors to not only deploy the exploit kit but also upload the malicious payload file.”
Leonard said he had been in touch with VeriSign to see if it can investigate the certificate of the Gh0st RAT file being delivered. That certificate appeared to have been signed by the Chinese certificate authority (CA) Tencent. That certificate has also “been in use for a while and does not appear to have been revoked at the time of this latest exploit activity,” Websense said. It looks as though it will be valid until 26 January 2013.
This means that somewhere in the certification process, there has been a snafu. That could either be a mistake from the original CA, or a hacker may have compromised a CA to give themselves some fraudulent certificates, allowing them to dodge security products. The company using the certificate may also have made a mistake, but Leonard said it is unlikely the mystery will be solved.
Unfortunately, it appears many traditional anti-virus products are not protecting against this threat, Leonard said. “It is not great news. There was very low protection offered by traditional AV. The situation has not improved that much over the last few days,” he added. “The site is clean, but the actual harm could have already been done two days back.”
Are you a security expert? Try our quiz!
Welcome to Silicon UK: AI for Your Business Podcast. Today, we explore how AI can…
Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…
Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…
Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…
Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…
Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…
View Comments
I don't understand why the use of certificates to "legitimize" malware is being treated as so unexpected. When Microsoft started their signed ActiveX nonsense years ago, anyone with any experience knew it was a bad idea. Until fairly recently you could write a piece of Java code and put anything in for the company name and Java displayed that name to the target. They finally fixed that but it really makes no difference. People want to see the dancing babies. :-)
One of the local pentesters started a small company here in the US for the express purpose of getting a legit code-signing certificate. The incorporation and certificate cost him about $350 US and now all of his Java exploit malware tells the target it's trusted and even checks the "Always trust content from this publisher" box.