NetTraveler is back – with some new tricks up its sleeve

NetTraveler is back – with some new tricks up its sleeve

This post is also available in: heעברית (Hebrew)

14996154_sThe attack vector NetTraveler (a.k.a Netfie, Travnet or Red Star APT), has been detected again. This is a new, advanced threat that has already infected hundreds of high profile users in over 40 counries. Known targets include Tibetan/Uyghur activists, oil industry companies, research institutes and centers, universities, private companies, governments and government institutions, embassies and security suppliers.

Immediately after the public disclosure of NetTraveler activity in June 2013, the attackers shut down the command and control centers and relocated to new servers in China, Hong Kong and Taiwan. From there the attacks continued unabated, as current events prove.

During the last few days some focused attacks targeted several Uyghur activists. A Java vulnerability used to spread the current version of Red Star APT was fixed last June, but its success rates were higher than other Office vulnerabilities (CVE-2012-0158) fixed by Microsoft last April.

iHLS – Israel Homeland Security

In addition to focused attacks by e-mail, the APT operators started using the “watering hole” technique (redirecting to malicious websites) to target victims surfing the internet.

Over the last month Kaspersky Lab intercepted a number of attacks originating from the address Webstock[dot]org, a website associated with earlier NetTraveler attacks. The victims were redirected there from other Uyghur websites, also successfully attacked by the same people responsible for NetTraveler.

Kaspersky Lab researchers expect more attacks, and they suggest a few methods of protection:

  • updating Java
  • updating Windows and Office
  • updating any other software such as Adobe Reader
  • using a safe web browser such as Chrome
  • avoiding unknown links and files

According to Kaspersky Lab NetTraveler didn’t utilize any “day-zero” vulnerabilities in its attacks. Updating software wouldn’t necessarily help against the attacking group, but technologies such as automatic vulnerability prevention and “prevention by default” might be much more effective.

BcpIT650x90