Kaspersky Labs' principal security researcher Kurt Baumgartner reported discovering the attack in a blog post, confirming that a hacker group has hijacked control of the site and is using it to redirect unaware users to a malicious web page. He said the attack is interesting as the malicious code is written to specifically target Chinese and American visitors.
"The attack itself is precisely targeted, as an appended, embedded iframe redirects ‘xizang-zhiye(dot)org' visitors (this is the Chinese-translated version of the site) to a java exploit that maintains a backdoor payload. The English and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version (please do not visit at this time). At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more," he wrote.
Marta Janus, security researcher at Kaspersky Lab, said the attack uses an old Java exploit to bypass security protocols, deliver the malware payload and gain access to data stored on the infected machine. "The attackers injected malicious code into the Chinese version of the tibet.net website, causing the users to be redirected to the Java exploit, which tries to install the backdoor application on their computers. The backdoor then enables the attackers to harvest information from infected computers," she told V3.
Janus said attacks towards Tibetan activists are nothing new, and have been taking place for a couple of years now, yet the attackers are constantly coming up with more and more sophisticated techniques.
"Although this particular advanced persistent threat (APT) doesn't seem to affect non-Chinese speaking people, cyber criminals can reuse some of the methods for distributing other malware in other countries as well. That's why it's always important to be aware of such threats and adequately protect ourselves, even if we are not falling into the "target" category this time."
Janus added that, while troubling, the attack is of little concern to most business. “It affects only those users, who visit the Chinese version of the tibet.net website. Therefore, we can say that the target was Chinese-speaking people interested in Tibet and it's political situation,” she said.
“From the server side, the problem can be fixed by removing the malicious code from the website, investigating the breach and addressing the potential security flaws in the software that runs on the server. To prevent infection, the users should always ensure that their computers and AV software are up to date.”
Watering hole attacks are a growing challenge facing the security community. Security firm Context reported detecting a number of state-sponsored cyber attacks targeting businesses with government or military contracts.