The assault against Free Tibet and Uyghur supporters is unrelenting as another watering hole attack has been uncovered, this time against a caregiver site supporting Tibetan refugee children.

The non-governmental organization (NGO) Tibetan Homes Foundation site remains compromised and is hosting a malicious Adobe Flash Player SWF file and is spreading backdoors signed with digital certificates stolen that were also part of the Winnti attacks. Researchers at Kaspersky Lab said the malicious Flash file was also found on two other Tibetan activist sites, tibetangeeks[.]com and vot[.]org. Both sites are no longer infected, researcher Kurt Baumgartner wrote on the Securelist blog today.

The Winnti attacks were disclosed yesterday. More than 30 online gaming companies, most of them in Southeast Asia, have been compromised by attackers using malware to steal valid digital certificates that have been used in attacks against Tibet supporters, as well as in-game currency and game source code. The attackers are stealing in-game gold or runes and cashing in the virtual currency for real money. They are also either re-selling the stolen certificates on the black market, or are closely tied to state-sponsored Chinese hacking groups responsible for attacks against Tibetan activists.

In the attack against Tibetan Homes Foundation, certificates from gaming companies MGAME and ShenZehn were used to sign the backdoors, Baumgartner wrote. Both were originally issued by VeriSign. Stolen certs used in other Winnti attacks have been revoked; Kaspersky Lab has contacted Tibetan Homes Foundation; as of today a malicious footer .swf file was still hosted on the site.

The SWF file exploits CVE-2013-0634, a zero-day exploit brought to light in February. According to an initial report from security company FireEye, the SWF file contains an action script named LadyBoyle, named after a character in the video game Dishonored. The file targets the Flash Player on Firefox or the Apple browser Safari. It is also spread via email through an infected Word attachment. An emergency Adobe Flash Player update sent out Feb. 8 patched the problem.

CVE-2013-0634 is a memory corruption vulnerability that enables an attacker to gain remote control over a compromised computer. Some of the first LadyBoyle attacks targeted the aerospace industry and were signed by the stolen MGAME certificate used in other attacks, including one targeting the World Uyghur Conference in March.

Hackers working for the Chinese government have been accused of launching these attacks and planting malware on the computers of activists to monitor their communication, online activities and in some cases report their physical location back to a command and control server.

Activist Lhadon Tethong, director of the Tibet Action Institute. told Threatpost: “In the last two years, we’ve been seeing an incredible ramping up and crackdown on Tibetans communicating via mobile devices or the Internet with people on the outside. Tibetans are getting two years, five years, seven years [in prison] just for communicating with the outside. There is an intense paranoia and desire to control the flow of information and nab all the people inside who dare speak out.”

Watering hole attacks against Tibetan human rights sites have ramped up after a recent educational campaign within the community to move activists away from using email attachments to communicate. With the Chinese government reportedly monitoring email between dissidents, groups such as Citizen Lab Munk School of Global Affairs at the University of Toronto and the Tibet Action Institute, created a program called “Detach from Attachments,” that teaches activists alternative ways to safely communicate and organize their efforts. Ronald Deibert, Citizen Lab director, said that the campaign to move off attachments coincides with a spike in recent watering hole attacks.

Watering hole attacks are similar to drive-by download attacks in that websites are compromised by malware and infect unsuspecting visitors. In the case of watering hole attacks, sites of common interest to the target are compromised relieving the attacker of having to lure the victims to a malicious site using spear phishing emails.

Categories: Malware