Categories: SecurityWorkspace

Amnesty International Website Serves Malware For Two Days

The Amnesty International UK website was compromised for two days, serving up the nasty Gh0st RAT tool.

The Remote Administration Tool is mainly used in targeted attacks, as it lets cybercriminals take complete control over an infected system, letting them steal victims’ passwords, emails and data.

All users had to do to get infected with the malware was visit the website, which has now been cleaned after security company Websense reached out to Amnesty International.

This is not the first time an Amnesty International website has been hit. Websense found the same site had been compromised in 2009, whilst the Hong Kong arm of the charity was injected with dirty code in 2010.

Amnesty for hackers?

It is unknown how the site was infected this week, but Websense suspects it could be hackers taking advantage of a flaw in the content management system (CMS) being used by Amnesty International UK.

Carl Leonard, security research manager at Websense, told TechWeekEurope his company has seen widespread use of scanners to see which software websites are using. They then find flaws and point exploit kits at them in order to compromise them. In the case of Amnesty International, it appears it was hit as part of a wider attack methodology such as this.

“We’re not saying that Amnesty International themselves were specifically targeted because we did see over 100 websites also hosting the same code. So there’s definitely something on these 100 websites where an issue is resident and the malware authors are seeking to exploit that. There’s some commonality across those websites,” Leonard said.

“It could be a CMS issue, it could be a database issue. We’re still looking into seeing what that commonality might be.

“There’s certainly something common across them that allows the malware authors to not only deploy the exploit kit but also upload the malicious payload file.”

Leonard said he had been in touch with VeriSign to see if it can investigate the certificate of the Gh0st RAT file being delivered. That certificate appeared to have been signed by the Chinese certificate authority (CA) Tencent. That certificate has also “been in use for a while and does not appear to have been revoked at the time of this latest exploit activity,” Websense said. It looks as though it will be valid until 26 January 2013.

This means that somewhere in the certification process, there has been a snafu. That could either be a mistake from the original CA, or a hacker may have compromised a CA to give themselves some fraudulent certificates, allowing them to dodge security products. The company using the certificate may also have made a mistake, but Leonard said it is unlikely the mystery will be solved.

Unfortunately, it appears many traditional anti-virus products are not protecting against this threat, Leonard said. “It is not great news. There was very low protection offered by traditional AV. The situation has not improved that much over the last few days,” he added. “The site is clean, but the actual harm could have already been done two days back.”

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • I don't understand why the use of certificates to "legitimize" malware is being treated as so unexpected. When Microsoft started their signed ActiveX nonsense years ago, anyone with any experience knew it was a bad idea. Until fairly recently you could write a piece of Java code and put anything in for the company name and Java displayed that name to the target. They finally fixed that but it really makes no difference. People want to see the dancing babies. :-)

    One of the local pentesters started a small company here in the US for the express purpose of getting a legit code-signing certificate. The incorporation and certificate cost him about $350 US and now all of his Java exploit malware tells the target it's trusted and even checks the "Always trust content from this publisher" box.

Recent Posts

Smartphone Shipments To Rebound In 2024, Says Counterpoint

Relief for Apple, Samsung etc after smartphone shipments are predicted to recover in 2024, as…

17 mins ago

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

21 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

22 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

23 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

1 day ago