02 May 2013
The US Department of Labor website was hacked and used to disseminate malware by running malicious code that collected data from users and uploading it to a remote command-and-control server.
Gathering information about Flash and MS Office versions, along with installed PDF plugins, the captured data was broadcast by the malicious script with a backdoor protocol used by DeepPanda, a Chinese hacker.
Targeted systems were also scanned for running antivirus software, followed by attempts to disable it.
“Some of the techniques used in this attack are very similar to the ones we identified a few months ago in an attack against a Thailand NGO website,” said Jaime Blasco, AlienVault's labs director.
Browsers that accessed the compromised webpage and executed the malicious script were exploited via the CVE-2012-4792 vulnerability patched earlier this year.
“After a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year,” said Blasco. “We are still verifying this information and we will give you more details when we confirm the vulnerability exploited is CVE-2012-4792.”
Affected users ended up broadcasting sensitive information to an attacker-controlled C&C server, while at the same time downloading the malicious payload locally.
With investigations still underway, it is unclear who hacked the US Department of Labor’s website and what he/they intended to do with the collected data.