Sub-site of US Department of Labor hacked

AlienVault Labs is reporting that the US Department of Labor site (www.dol.gov) has been hacked but, to be more precise, it is a specific sub-site – the "Site Exposure Matrices" (www.sem.dol.gov) for the "Division of Energy Employees Occupational Illness Compensation" scheme – that has been hacked. The somewhat less travelled site is hosted on its own IP address, is managed by Time Warner Telecom, and does not appear to be part of the content-cached site that is the main Department of Labor site. That said, the hack has injected malware, which is pulled in from another site "dol.ns01.us", into the site's pages.

That malware first performs a survey of the browser for Flash versions, checks if various anti-virus packages are running, checks for Java installations and versions, Office versions, and PDF plugins. It then posts the results of that to a URL on the site where the script came from and, according to AlienVault, tries an IE 6-8 exploit from 2012 which, if successful, will permanently install an executable that connects to another command-and-control network. It disguises its calls to that C&C network as what appear to be CGI GET queries on a photo system. AlienVault says that the fingerprint of this disguise matches a "known Chinese actor called DeepPanda," and it points to an analysis of that attacker.

Although the attack is real, it seems that, unless a user is claiming compensation from an occupational illness scheme after working in the energy industry, they are unlikely to come into contact with this malware. This appears to be another example of a low-hanging government out-sourced web site being compromised.

(djwm)