Department of Labor Site Hacked

Wednesday, May 1, 2013 @ 01:05 PM gHale


Hackers got into a sub site on the U.S. Department of Labor. The site is the “Site Exposure Matrices” (www.sem.dol.gov) for the “Division of Energy Employees Occupational Illness Compensation” scheme.

While not a highly trafficked site, it has its own IP address, Time Warner Telecom manages it, and it does not appear to be part of the content-cached site that is the main Department of Labor site, said researchers at AlienVault Labs. The hack injected malware, which pulls in from another site “dol.ns01.us.”

RELATED STORIES
Blog Hacked, Phishing Attack Ensues
Phishing Hole: Execs Names Pilfered
Malware Attacks Hit Constantly
Spear Phishing: Energy Sector Targeted

That malware first performs a survey of the browser for Flash versions, checks if various anti-virus packages are running, checks for Java installations and versions, Office versions, and PDF plugins.

It then posts the results of that to a URL on the site where the script came from and, according to AlienVault, tries an IE 6-8 exploit from 2012 which, if successful, will permanently install an executable that connects to another command-and-control network.

It disguises its calls to that C&C network as what appear to be CGI GET queries on a photo system. AlienVault said the fingerprint of this disguise matches a “known Chinese actor called DeepPanda.”

Although the attack is real, it seems that, unless a user is claiming compensation from an occupational illness scheme after working in the energy industry, they are unlikely to come into contact with this malware. This appears to be another example of a low-hanging government out-sourced web site suffering compromise.



Leave a Reply

You must be logged in to post a comment.