NetTraveler is back, Kaspersky Lab warns
Fresh activity from relocated APT spotted this week, says digital security specialist
Kaspersky Lab researchers today announced a new attack vector of NetTraveler (also known as "Travnet", "Netfile" or "Red Star APT"), an advanced persistent threat that has already infected hundreds of high-profile victims in more than 40 countries.
Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.
According to Kaspersky Lab, immediately after public exposure of the NetTraveler operations in June this year, the attackers shut down all known command-and-control systems and moved them to new servers in China, Hong Kong and Taiwan. They also continued the attacks unhindered, just like the current case shows.
Over the past few days, several spear-phishing e-mails were sent to multiple Uyghur activists, Kaspersky said. The Java exploit used to distribute this new variant of the Red Star APT was only recently patched in June 2013 and has a much higher success rate. The earlier attacks have used Office exploits (CVE-2012-0158) that were patched by Microsoft in April.
In addition to the use of spear-phishing e-mails, APT operators have adopted the watering-hole technique (Web redirections and drive-by downloads on rigged domains) to infect victims surfing the Web.
Over the past month, Kaspersky Lab intercepted and blocked a number of infection attempts from the "wetstock.org" domain, which is a site known to be linked to previous NetTraveler attacks. Kaspersky Lab said the redirections appear to come from other Uyghur-related websites that were compromised and infected by NetTraveler attackers.
Kaspersky Lab's Global Research and Analysis Team (GReAT) believes that other recent exploits could be integrated and used against the group's targets and offer recommendations on how to stay safe from such attacks. The team advises that users update Java to the most recent version or, if they do not use Java, uninstall it; update Microsoft Windows and Office to the latest versions; update all other third-party software, such as Adobe Reader; use a secure browser such as Google Chrome, which has a faster development and patching cycle than Windows' default Internet Explorer; and be wary of clicking on links and opening attachments from unknown persons.
"So far, we haven't observed the use of zero-day vulnerabilities with the NetTraveler group," said Costin Raiu, director of Global Research & Analysis Team at Kaspersky Lab.
"To defend against those, although patches don't help, technologies such as DefaultDeny and Automatic Exploit Prevention can be quite effective fighting advanced persistent threats."