Hackers are using vulnerabilities in Oracle Java and Adobe Flash to carry out drive-by attacks on visitors to foreign policy, defence, and humanitarian websites, according to security volunteer organisation the Shadowserver Foundation.
Drive-by exploits, in which a user visits a website and then is sent to further sites to upload malware, are being used to target users with defence, foreign policy, and humanitarian interests, the Foundation said.
Over the past two weeks, exploits that have been "heavily used" by attackers target a flaw in Oracle Java Runtime Environment (CVE-2012-0507), and an object confusion vulnerability in Adobe Flash, (CVE-2012-0779), Shadowserver security experts Steven Adair and Ned Moran said in a blog post on Tuesday. The Adobe flaw was patched in May, and the Oracle hole in February.
"Right now, as you read this, there are a few recent exploits that are being heavily used by attackers engaged in cyber-espionage to take a foothold onto various networks," Adair and Moran said.
Amnesty International Hong Kong's Chinese-language site is serving Flash exploit code. The attack does not appear to be linked to an attack on the Amnesty International UK site last week, but may be linked to an attack on the UK site last year, according to the researchers.
There are a few recent exploits that are being heavily used by attackers engaged in cyber-espionage to take a foothold onto various networks.– Shadowserver Foundation
The US Center for Defense Information (CDI) has been compromised "multiple times in the last few weeks," and is serving a Flash exploit, said Adair and Moran.
"The CDI website is currently serving up a malicious Flash exploit that ties back [to] attackers known to engage in cyber-espionage," said the researchers. "This threat group appears to be interested in targets with a tie to foreign policy and defence activities."
In general, and in the CDI attack, the compromise of a victim's computer is split over a number of different websites hosted on servers located in different countries. Once visiting the compromised site, the victim computer is directed to each website in turn to download various components of the Poison Ivy remote access Trojan (RAT).
The Israeli International Institute for Counter-Terrorism site is housing a Java exploit, and the Cambodian Ministry of Foreign Affairs site is serving a malicious Flash exploit that ultimately leads to the Poison Ivy RAT being installed via the compromised US Auto Association website.