Security Experts:

New IE 10 Zero-Day Used in Watering Hole Attack Targeting U.S. Military

Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website.

Dubbed “Operation SnowMan” by FireEye, the attack targets IE 10 with Adobe Flash.

FireEye believes the attackers behind the campaign, thought to be operating out of China, are associated with two previously identified campaigns: Operation DeputyDog and Operation Ephemeral Hydra.

According to FireEye, attackers compromised the VFW website and added an iframe to the site’s HTML code that loads the attacker’s page in the background. When the malicious code is loaded in the browser, it runs a Flash object that orchestrates the remainder of the exploit.

According to a recently-released report from CrowdStrike, Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China. The attack against the Council of Foreign Relations website in early 2013, which also compromised Capstone Turbine and Napteh Engineering & Development Co., involved three different adversaries using multiple types of malware, the report found. In March 2013, one of the attack groups compromised a Harvard University site targeting people who were concerned with military, international relations, and human rights issues in the Far East.

IE Zero Day

“A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,” FireEye researchers wrote in a blog post. “In addition to retirees, active military personnel use the VFW website. It is probably no coincidence that Monday, Feb. 17, is a U.S. holiday, and much of the U.S. Capitol shut down Thursday amid a severe winter storm."

Key findings in the attack include:

• The vulnerability (CVE-2014-0322) is a previously unknown use-after-free vulnerability in Microsoft Internet Explorer 10.

• Because the vulnerability allows attackers to modify memory to an arbitrary address, the attacker can use it to bypass ASLR. 

• Exploitation is aborted if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET).  

• The exploit dropped an XOR (0×95) payload that executed a ZxShell backdoor (MD5: 8455bbb9a210ce603a1b646b0d951bce).

• The compile date of the payload was 2014-02-11, and the last modified date of the exploit code was also 2014-02-11.

• The particular variant of the ZxShell backdoor called back to a command and control server located at newss[.]effers[.]com, which at the time of publishing resolves to 118.99.60.142. The domain info[.]flnet[.]org also resolved to this IP address on 2014-02-12.

The attackers have previously targeted a number of different industries, including U.S. government entities, Japanese firms, defense contractors, and others.

“The proven ability to successfully deploy a number of different private and public RATs using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term,” FireEye warned.

A FireEye spokesperson told SecurityWeek that the site is no longer infected and serving the exploit.

More information and details are available from FireEye.