Forbes website used as a watering hole by Chinese Hacking group ‘Codoso Team’Watering HoleHistoryIdentification
Users, using Internet browser who visited Forbes.com on the four days following Thanksgiving were open to be hacked, two cybersecurity firms said Tuesday. The companies, iSight Partners and Invincea, said hackers who allegedly belong to the Chinese hacker group Codoso Team, had reprogrammed Forbes’ “Thought of the Day” widget to send malicious computer code to readers’ computers.
Watering Hole
A watering hole attack is an attack in which the hackers infect a website – typically a major website as in this case – and every visitor to that website is infected with a malware. Security researchers from iSIGHT Partners and Invincea say that this appears to be the handiwork of a long-running group they call Codoso Team, which has also been named as Sunshop Group. The campaign against Forbes.com was made possible by a zero-day attack that strung together an Adobe (not again sic!) vulnerability with a bypass vulnerability in Microsoft’s ASLR technology for Internet Explorer, which Microsoft has patched today. The researchers found that the attack occurred over a couple of days following the Thanksgiving holiday in the US. In addition to attacking properties of the website, the Thought of the Day widget on Forbes.com was also infected with the intention of exploiting the aforementioned Flash vulnerability and causing users to download malware. A surprising aspect of this attack is that even though Forbes.com has a huge appeal globally, the targets of the hacking group were specific. The specific nature of their targets is what lead the researchers to believe that the attackers might be Chinese. The hackers seem to be targeting Chinese dissident groups, defense sector firms and other political and commercial targets.
History
The first time this group was identified was in 2013 by FireEye although they are supposed to have been operating in the wild from 2010. This group has been heavily depending on the Derusbi malware to carry out its attacks much like another group named Deep Panda. These two groups share similar techniques, but researchers believe them to be two separate groups. Hultquist says:
Identification
Anup Ghosh, CEO at Invincea says, his team first noticed the attack through a defense contractor. As mentioned, the group was surprised to find an attack targeting specific people. He also adds, that this attack is unique due to its use of a chaining of zero-day exploits. Not only was it attacking a Flash zero-day, but it was also leveraging a zero-day in ASLR to bypass that mitigation technique. Resource : iSIGHT Report and Invincea Report
