Back in late November, Forbes.com was hacked. If cyber security firms are right, Chinese hackers are to blame, but there's not enough evidence to guarantee attribution just yet.
The hackers tinkered with the Adobe Flash widget that delivers the Thought of the Day page that visitors to Forbes.com are taken to when they visit the site. The attackers did this to send specially-chosen visitors to a hacker-controlled site that would serve up an exploit against a zero-day vulnerability in Flash and, if it was needed, another flaw in
Our press department said that Forbes discovered on 1 December that on 28 November a file had been modified on a system related to the Forbes website. “The file was immediately reverted and an investigation by Forbes into the incident began. Forbes took immediate actions to remediate the incident. The investigation has found no indication of additional or ongoing compromise nor any evidence of data exfiltration. No party has publicly claimed responsibility for this incident,” the spokesperson said. It’s currently unclear how the hackers were able to compromise that Adobe Flash widget in the first place. Typically, there would be some kind of web server compromise, but that’s just speculation for now.
Forbes obtained information on the files used to launch the exploits and checked them on Virus
The graph below shows how the attack methodology worked:
Two security companies, threat intelligence provider iSight and end point security firm Invincea, have claimed that a Chinese cyberespionage group dubbed Codoso
The firm claimed the malware used by the hackers, which would attempt to download itself after visitors hit the Forbes.com site, was written in simplified Chinese and was similar to another malicious software called Derusbi, a strain “unique to Chinese cyber espionage operators”. The command and control servers used by the malware were “passively connected” to tiiztm.com, a domain used in a number of Chinese cyber espionage incidents associated with Codoso Team, iSight added. It noted another three sites, “associated with Chinese dissident issues to include the Uyghur minority and Hong Kong democracy”, were also compromised to serve the same exploit. And there are some links to a group called Deep Panda, which security firm
Microsoft patched the Internet Explorer flaw today as part of its Patch Tuesday release. Adobe fixed the Flash issue on December 9.
So here’s what we know right now: The hackers used two zero-days to launch attacks on a specific subset of readers and there haven’t been any reported cases of successful exploitation, though they could exist. The attackers have not been able to establish any foothold on Forbes’ network. Chinese hackers appear to be the most likely suspects, but there’s no definitive proof.
This story will be updated as more information comes in.