NetTraveler Espionage Bug Adds Java Exploit to Bag of Tricks

NetTraveler is designed to steal sensitive data, as well as log keystrokes
NetTraveler is designed to steal sensitive data, as well as log keystrokes

Kaspersky Lab researchers noted that over the last few days, several spear-phishing emails were sent to multiple Uyghur activists using a Java exploit (CVE-2013-2465), which has a much higher success rate than the earlier attacks, which used Office exploits for a vulnerability (CVE-2012-0158) that was patched by Microsoft last April. Kaspersky Lab’s Global Research and Analysis Team predicts that other recent exploits could be integrated and used against the group’s targets as well. So far, the firm hasn’t observed the use of zero-day vulnerabilities with the NetTraveler group.

In addition to the use of spear-phishing e-mails, APT operators have adopted the watering hole technique (i.e., web redirections and drive-by downloads on rigged domains) to infect victims surfing the web. Over the last month, Kaspersky Lab intercepted and blocked a number of infection attempts from the “wetstock[dot]org” domain, which is a known site linked to previous NetTraveler attacks. These redirections appear to come from other Uyghur-related websites belonging to the “Islamic Association of Eastern Turkistan,” which were compromised and infected by the NetTraveler attackers.

NetTraveler (also known as the “Travnet,” “Netfile” or "Red Star" APT) targets big fish, including Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, governments and governmental institutions, embassies and military contractors. The bug is designed to steal sensitive data as well as log keystrokes, and retrieve file system listings and various Microsoft Office or PDF documents.

When Kaspersky uncovered the bug in June, it had already successfully compromised at least 350 high-profile victims in 40 countries, with the total likely closer to 1,000.

Kaspersky researchers noted that immediately after the public exposure of the NetTraveler operations, the attackers shut down all known command-and-control systems and moved them to new servers in China, Hong Kong and Taiwan.

“They also continued the attacks unhindered, just like the current case shows,” the company said in a blog.

According to sinkhole analysis from Kaspersky Lab, the campaign is being carried out by an organized group. “We estimate the group size to about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language,” it said.

Users should update Java to the most recent version or uninstall it, and update Microsoft Windows and Office to the latest versions, along with all other third-party software, such as Adobe Reader. Kaspersky also recommends the use of a secure browser such as Google Chrome, which has a faster development and patching cycle than Windows’ default Internet Explorer. And, as always, users should be wary of clicking on links and opening attachments from unknown persons.

What’s hot on Infosecurity Magazine?