Chinese suspected for Forbes November hack

Forbes was the victim of a hack attack back in November, with the news appearing on the Forbes’ website earlier this week.

Cyber security firms claim Chinese hackers are behind the attack, even though there isn’t enough evidence to support that claim, they say.

The hackers used a vulnerability in the Adobe Flash widget that delivers the Thought of the Day page to send visitors to a specially crafted website.

That site would then serve up an exploit against a zero-day vulnerability in Flash and, if it was needed, another flaw in Microsoft MSFT Internet Explorer.

The breach happened on 28 November and it was discovered on 1 December 2014, and Forbes moved quickly to remedy the breach, says its press department.

“The investigation has found no indication of additional or ongoing compromise nor any evidence of data exfiltration. No party has publicly claimed responsibility for this incident,” the spokesperson said.

Forbes’ website has been used to spread two viruses: one is called Swifi, and the other Agent-ALEA.

Both are easily blocked and countered by most well-respected antivirus systems.

Forbes says two security companies claim Chinese hackers are behind the attack.

Threat intelligence provider iSight and end point security firm Invincea, have claimed that a Chinese cyber-espionage group dubbed Codoso Team, also known as Sunshop Group, was responsible for the attack.

iSight claimed the malware used by the hackers, which would attempt to download itself after visitors hit the Forbes.com site, was written in simplified Chinese and was similar to another malicious software called Derusbi, a strain “unique to Chinese cyber espionage operators”.

Director of ASERT at Arbor Networks, Dan Holden, says the attack was a work of a sophisticated attacker with a specialised mission:

"Zero-day vulnerabilities were used and this is extremely rare. Cyber criminals don’t use zero-day. Hacktivists don’t use zero-day. When zero-day is used it means you have a very sophisticated attacker with a specialised mission," he said.

"They either have to discover the zero-day themselves or purchase it both of which take funding. Over the last few years you’ve seen more zero-day leveraged by state sponsored attacks than anything else because they are the ones with the best access to zero-day vulnerabilities and are generally speaking, the only types of specialised attacks that require zero-day to be leveraged."