Microsoft has released a patch to close a bug exploited by hackers, whose aim was at U.S military and government networks.
The flaw was used to compromise Windows PCs that visited sites seeded with other malware created by the group. Popular news site Forbes was one victim unwittingly enrolled into the cyber-espionage campaign. Security systems on US military networks ultimately foiled attempts to steal data, said one expert. "It's fairly brazen for a Chinese cyber-espionage group to use such a public site," said John Hultquist from iSight Partners, which said it had traced the attack back to a group called Codoso. Data grabbing Forbes' site was compromised via a software add-on, or widget, that made use of a version of Adobe's Flash software, which in turn was vulnerable to an exploit believed to have been created by Codoso. This was paired with a separate vulnerability that the hackers used to takeover Windows machines. The booby-trapped widget was present on the Forbes site between 28 November and 1 December, 2014, said a spokeswoman for the news site. "Forbes took immediate actions to remediate the incident," said the spokeswoman. "The investigation has found no indication of additional or ongoing compromise nor any evidence of data exfiltration." No group had claimed responsibility for the attack, she added. According to Mr Hultquist, he mentioned that the iSight had been tracking Codoso since 2010 and was confident it was behind the attack. Additional intelligence about its origin has been provided by security company Invincea which spotted machines infected via the Forbes exploit on military networks. Once it took hold on a Windows machine the Codoso malware sought to log what software the machine ran and to map networks to find other machines to compromise, Mr Hultquist explained "It's all about land and expand," he said. "They want to get in and stay in and be as persistent as possible and gather intelligence over a long period of time." No data was stolen from official US networks using this exploit, said Norm Laudermilch from Invincea. However, he said, analysis of the malware showed that it had been used to get at various other sites and the sheer number of people visiting Forbes would suggest a lot had been caught out by it. Adobe patched the Flash bug on 9 December and Microsoft has now moved to close the other loophole found and exploited by Codoso. Mr Hultquist said the evidence suggested Codoso was no common-or-garden cybercrime group. "There are different motivations for hacker groups, but this one is about espionage and that, by definition, is not about making money," he said. China was not alone in setting up such groups and trying to gather data by hacking, he added. "We've seen dozens of them," he said. "It's a very inexpensive way to get an advantage over your adversaries."