A new round of hacking attacks is being directed specifically against Israel, cyber-security giant Check Point believes. The exploit, which uses infected Microsoft Word documents to insert malicious code into a user’s computer, “appears to be politically motivated, instigated against a particular nation-state,” the company said.
With that, said the company, the identity of the hackers behind the attack is unclear, and may never be known, because it is almost impossible to trace such attacks back to the original server that issued them. And, while Check Point would not name the specific targets of the attack, it said that they included Israeli public (i.e., government) and private organizations, and that the attacks had been going on “for some time.”
“Two months ago, a malicious Rich Text Format (RTF) document came to the attention of Check Point Threat Intelligence & Research via a worried high-profile client in the public sector,” the company said in a blog post. “The file had been sent to many employees, several of whom opened the file; as a result, their machines became infected. Check Point took actions to prevent this document from further infecting the customer’s network, and also analyzed the file to better understand the attack.”
It was after analyzing that file, and comparing notes with other Israeli clients, that Check Point figured out what was going on: Someone was sending out documents with infected macros (small applets that improve the functionality of Microsoft Office files) that, once opened, embedded themselves in a computer and began “phoning home” information about location, files, passwords, and more. The malware then replicated itself over the local area network, searching for files that contain passwords and other data – sending that on to the hackers as well, Check Point said.
The hacks weren’t even particularly sophisticated, said Check Point. “The specific vulnerabilities being exploited were enough to determine that this malicious document was not crafted by hand, but rather auto-generated by a well-known exploit kit called Microsoft Word Intruder (MWI),” on the market for at least two years and “available to anyone willing to pay a few thousand dollars.”
All a hacker has to do is load up their malicious code in the MWI kit and attach the resulting macros to a legitimate-looking document – and the code does the rest, sending back sensitive information when a hapless recipient opens the document. In this case, the cyber-weapon of choice was “a generic derivative of the Zeus Trojan, with all the usual functionality: the modification of browser security parameters; stealing FTP credentials, cookies and mail settings; and the ability to download and execute additional modules,” Check Point said.
In Israel, the data was uploaded to a local server belonging to a real estate firm – so security systems did not raise a red flag when they detected the data uploads, since the IP address of the recipient seemed legitimate. That server, however, had been compromised by the hackers, who were passing the malware from the local server to other servers outside the country. According to Check Point, the IP addresses of those machines, which the company was able to partially trace, indicated that the destination of the data was Russia and Ukraine, although it was highly likely that those addresses were “spoofed,” meaning that the true destination was indeterminable.
More than half of all the attacks using this exploit, Check Point observed, were targeted at Israeli servers – and in particular, servers in government agencies, some with sensitive data.
“There are many reasons campaigns can end up with a lopsided geographical distribution of infection victims; that, alone, does not necessarily imply a ‘targeted campaign’ scenario,” said the company. “However, this case was different. Israeli targets were not just over-represented; the list of targeted Internet addresses contained a number of Israeli government agencies, security industry firms, municipal agencies, research institutions and even hospitals. In total, over 200 machines and 15 distinct Israeli firms and institutions were targeted.”
The role of defense, said Check Point, is – as usual – critical. “Regardless of the campaign’s origins, the advice for defending against exploit kits as an attack vector remains the same: update your software; update your anti-virus signatures; audit files with sandbox analysis before they enter your network; employ anti-bot and post-infection technology to assist in identifying hosts that have been compromised; use a script blocker for your web browser; and be wary of any web links or documents that came unsolicited or from a party you don’t fully trust.”