Amnesty websites compromised in Gh0st RAT attack

Amnesty International websites in the UK and Hong Kong have been compromised and made to serve a variant of malware known as Gh0st RAT, security researchers have said.

Websense revealed the hack of Amnesty's UK site in a blog post on Friday, saying it had picked up the incident between 8-9 May. Amnesty dealt with that breach before the public announcement was made, but Websense subsequently updated its post to say the charity's Hong Kong site had also been compromised over the weekend.

"The malicious codes are still live and active," Websense said of the Hong Kong attack. Both of the sites had been targeted before: the UK site in 2009 and the Hong Kong site in 2010.

"In the most recent case, we noticed that the exploit vector used was the same Java exploit that has been used worldwide, and which has become somewhat infamous as the cause of the recent massive Mac OS X infection with Flashback," Websense said.

According to the security firm, the executable taking advantage of the flaw appeared to have a Verisign certificate that "has been in use for a while and does not appear to have been revoked at the time of this latest exploit activity".

The executable created a binary file that Websense identified as Gh0st RAT. This remote administration tool has previously been used against Tibetan activist groups, according to reports in March.

"With this control, the remote administrator has access to a user's files, email, passwords, and other sensitive personal information," Websense said on Friday.