Spearphishing attacks against Tibet impersonate security vendor that raised alarm

Following detection of spearphishing attacks against Tibetan organisations, further attacks had been detected that claim to be from AlienVault.

The initial detection by AlienVault of spearphishing attacks from China was announced two weeks ago; the attacks contained a malicious PDF with a variant of Gh0st RAT (a remote-access Trojan) and exploited a known vulnerability in Microsoft.

However, the company's labs have now detected efforts by attackers to spoof AlienVault email addresses in an try to make their messages more realistic.

Jamie Blasco, head of labs at AlienVault, called this "a case of imitation being the sincerest type of flattery".

He said: “The incontrovertible fact that the professional-Chinese sympathisers have taken our research seriously enough to begin attempting to blacken our name indicates that our message concerning the Chinese cyber attackers has hit home, and the cyber criminal activists should not happy.

“While the professional-Chinese sympathisers are clearly seeking to tarnish AlienVault's reputation with their actions, I'm more than happy the message is getting through to the media that the continued cold war between China and Tibet has spilled over into cyber space.

“We have seen Tibetan sympathisers turn to self-immolation of their quest to bring their plight to the notice of Western governments, so any effect on our reputation pales into insignificance alongside their sacrifices.”

The emails come from ‘admin@alienvault.com' with an issue line of "Targeted attacks against Tibet organisations" and contain a malicious payload that loads a Java applet, which exploits CVE-2011-3544.

Blasco said: “Our research means that the attacks we've got been tracking during the last month are associated with the Kalachakra Initiation, a Tibetan religious festival that came about in early January. The spearphishing emails are quite sophisticated and have an attachment that exploits a stack overflow vulnerability dating back to last September.

“Yes, AlienVault has effectively been drawn into the cyber conflict itself, but we plan on continuing to report in this humanitarian cause for so long as it takes. Our email spoofing problems are nothing compared with the issues that Tibetans are facing.”

Blasco also said that automated bots are getting used to spam Twitter users with hashtags involving the problem, including #tibet and #freetibet; the junk tweets are from automated Twitter accounts controlled by the Chinese government or its sympathisers.

Security researcher and blogger Brian Krebs also spotted this flood of Twitter spam, and said that it was not clear how some time past the artificial tweet campaigns began; he said the hashtags are actually so linked to junk tweets from apparently automated Twitter accounts that they've ceased to become an invaluable solution to track the China-Tibet situation.

Krebs said: “Twitter was very attentive to the botted accounts getting used to drown out hashtags following the disputed Russian elections, but these anti-Tibetan Twitter bots seem to have flown under the radar thus far.

“When I checked the location on Monday (19 March) evening, the bunk tweets geared toward popular Tibetan hashtags were still going strong. It is not immediately clear what number of apparently botted accounts are getting used to blast these tweets; most of them have zero, if any, followers, and are following only a few other accounts. Twitter have been notified a couple of couple of dozen accounts that seem to be the source of these kind of junk messages.”