Hackers have successfully compromised the UK version of Amnesty International’s website by serving malware that exploits a recently-patched vulnerability in Java.
According to security expert Brian Krebs, the site’s home page is booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil.
The car site serves a malicious Java applet that employs a public exploit to attack a well-known Java flaw. Essentially, the applet retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first identified in June 2011.
As Krebs notes, the latest incident is hardly the first time Amnesty’s sites have been hacked to serve up malware. To be sure, the organization’s site was compromised in April 2011 with a drive-by attack, while Amnesty’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown IE vulnerability in November 2010.
“It appears likely that the exploit may be part of an ongoing campaign by Chinese hacking groups to extract information from dissident and human rights organizations,” Krebs assessed.
Paul Royal, a research consultant with Barracuda Networks, expressed similar sentiments.
“Certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists,” he explained.
“Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.”