According to the company’s Security Labs blog, Amnesty International’s United Kingdom website was compromised and hosting the potent Gh0st RAT Trojan earlier this week. Malicious Java code was planted on the site in a bid to push the Gh0st RAT Trojan onto vulnerable Windows machines. If successful, the attack plants malware onto machines that is capable of extracting the user's files, email, passwords and other sensitive personal information.
The vulnerability for the infection stemmed from a popular Java exploit, CVE-2012-050. Hackers exploited that hole and used it to inject the Amnesty International site’s script with malicious code. The Java hole was the same used by Flashback, the much buzzed-about Mac OS X Trojan in recent months.
The exploit code used in this attack appears to have been copied from Metasploit, an open source penetration testing framework popular among security professionals, Giuliani said.
The injected web code was removed after Websense alerted Amnesty to the issue.The attack bears all the hallmarks of a series of attacks that appear to be targeting pro-Tibet organisations and sympathisers, most likely by a group connected to China.
The Gh0st Trojan has been used by suspected Chinese hackers in several advanced persistent threat (APT) style attacks, most notably the ‘Nitro’ attacks against energy firms in 2011. Chinese involvement in the Amnesty International attack is suspected but unproven.
Websense detected over 100 other websites infected with the same malicious code as Amnesty International's U.K. website during the same time period, Carl Leonard, senior manager of Websense Security Labs, said.