Top Think Tank's Website Hacked in Watering-Hole Attack
Wildebeest and zebras at a watering hole in Chobe National Park in Botswana.
CREDIT: Gorgo/Public domain
How would you like it if one of your favorite websites were hacked and rigged to infect you with malware?
That's what seems to have happened to the website of the Council of Foreign Relations (CFR), a New York-based bipartisan think tank with a long list of illustrious members.
The CFR's website was infected around Dec. 21 with a Trojan that exploited a previously unknown, or zero-day, flaw in older versions of Internet Explorer, setting up visitors using IE for a drive-by download infection.
"The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft said in a security advisory posted Saturday (Dec. 29). "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."
The malware affects Internet Explorer versions 6 through 8. Internet Explorer 9 and 10 are not affected, meaning users of Windows Vista, Windows 7 and Windows 8 can upgrade to those browsers to avoid infection.
Microsoft is working on a fix, but in the meantime recommends that Windows users who cannot upgrade to newer versions of Internet Explorer set their Internet and intranet security-zone settings to "High," to set up alerts before running Active Scripting and to install the free Enhanced Mitigation Experience Toolkit. [Update: Microsoft has posted a "fix-it," a script that temporarily fixes the problem while the company continues to work on a full patch.]
The CFR website compromise was first reported by the Washington Free Beacon, a conservative news blog that quoted anonymous sources as saying the attack seemed to originate in China.
FireEye, a Milpitas, Calif.-based information-security company, confirmed the CFR website was hosting malicious code in the form of a rigged Adobe Flash file.
In its blog posting, FireEye noted that the code associated with the malware also restricted its victims to only systems using English, Russian, Chinese, Korean or Japanese, and that some internal code used simplified Chinese characters, as used on the Chinese mainland.
Chinese state-sponsored hackers have been suspected in dozens of major information-stealing network attacks on Western governments, corporations and organizations over the past half decade.
Such attacks are often politely termed "advanced persistent threats," and while most of the evidence points to China, few of the suspicions have been proven.
American bigwig jackpot
Because the CFR is so prestigious and influential, experts characterized its website's hijacking as a "watering-hole" attack.
Watering-hole attacks are similar to spear-phishing attacks in that they target computers belonging to a specific person or a small group of people, but using Web browsers instead of email clients as the infection mechanism.
In the case of the CFR, dozens of its prominent members would be ripe targets for state-sponsored information thieves. Former Treasury Secretary and Goldman Sachs head Robert Rubin co-chairs the board of directors, while former U.S. Secretaries of State Madeleine Albright and Colin Powell sit on the board, as do journalists Tom Brokaw and Fareed Zakaria.
Former secretaries of state Henry Kissinger, George Shultz and James Baker are reportedly lifetime members, as are current Secretary of State Hillary Clinton and her husband, former President Bill Clinton, as well as Hillary Clinton's possible replacement Sen. John Kerry.
Other lifetime members are said to include Fox News Channel head Roger Ailes, his boss Rupert Murdoch, New York City Mayor Michael Bloomberg, Supreme Court Justice Stephen Breyer, Vice President Joe Biden, former vice presidents Dick Cheney and Walter Mondale and former presidents George H.W. Bush and Jimmy Carter.