The Latest in IT Security

New IE 10 Zero-Day Used in Watering Hole Attack Targeting U.S. Military

14
Feb
2014

Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website.

Dubbed “Operation SnowMan” by FireEye, the attack targets IE 10 with Adobe Flash.

FireEye believes the attackers behind the campaign, thought to be operating out of China, are associated with two previously identified campaigns: Operation DeputyDog and Operation Ephemeral Hydra.

According to FireEye, attackers compromised the VFW website and added an iframe to the site’s HTML code that loads the attacker’s page in the background which runs a Flash object that orchestrates the remainder of the exploit.

According to a recently-released report from CrowdStrike, Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China. The attack against the Council of Foreign Relations website in early 2013, which also compromised Capstone Turbine and Napteh Engineering Development Co., involved three different adversaries using multiple types of malware, the report found. In March 2013, one of the attack groups compromised a Harvard University site targeting people who were concerned with military, international relations, and human rights issues in the Far East.

“A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,” FireEye researchers wrote in ablog post. “In addition to retirees, active military personnel use the VFW website. It is probably no coincidence that Monday, Feb. 17, is a U.S. holiday, and much of the U.S. Capitol shut down Thursday amid a severe winter storm.”

Key findings in the attack include:

• The vulnerability(CVE-2014-0322) is a previously unknown use-after-free vulnerability in Microsoft Internet Explorer 10.

• Because the vulnerability allows attackers to modify memory to an arbitrary address, the attacker can use it to bypass ASLR.

• Exploitation is aborted if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET).

• The exploit dropped an XOR (0×95) payload that executed a ZxShell backdoor (MD5: 8455bbb9a210ce603a1b646b0d951bce).

• The compile date of the payload was 2014-02-11, and the last modified date of the exploit code was also 2014-02-11.

• The particular variant of the ZxShell backdoor called back to a command and control server located at newss[.]effers[.]com, which at the time of publishing resolves to 118.99.60.142. The domain info[.]flnet[.]org also resolved to this IP address on 2014-02-12.

The attackers have previously targeted a number of different industries, including U.S. government entities, Japanese firms, defense contractors, and others.

“The proven ability to successfully deploy a number of different private and public RATs using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term,” FireEye warned.

A FireEye spokesperson told SecurityWeek that the site is no longer infected and serving the exploit.

More information and details are available from FireEye.

Tweet

Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:New IE 10 Zero-Day Used in Watering Hole Attack Targeting U.S. Military Bit9 Raises $38 Million, Acquires Carbon BlackProlexic Warns of New DNS Flooder DDoS Attack ToolkitCloudFlare Infrastructure Hit With 400Gbs NTP-Based DDoS AttackFireEye Unveils All-in-One Platform to Detect, Contain and Mitigate Threats

sponsored links

Tags: Cyberwarfare

NEWS INDUSTRY

Vulnerabilities

Comments are closed.

Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments