Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

New IE 10 Zero-Day Used in Watering Hole Attack Targeting U.S. Military

Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website.

Dubbed “Operation SnowMan” by FireEye, the attack targets IE 10 with Adobe Flash.

Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website.

Dubbed “Operation SnowMan” by FireEye, the attack targets IE 10 with Adobe Flash.

FireEye believes the attackers behind the campaign, thought to be operating out of China, are associated with two previously identified campaigns: Operation DeputyDog and Operation Ephemeral Hydra.

According to FireEye, attackers compromised the VFW website and added an iframe to the site’s HTML code that loads the attacker’s page in the background. When the malicious code is loaded in the browser, it runs a Flash object that orchestrates the remainder of the exploit.

According to a recently-released report from CrowdStrike, Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China. The attack against the Council of Foreign Relations website in early 2013, which also compromised Capstone Turbine and Napteh Engineering & Development Co., involved three different adversaries using multiple types of malware, the report found. In March 2013, one of the attack groups compromised a Harvard University site targeting people who were concerned with military, international relations, and human rights issues in the Far East.

IE Zero Day

“A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,” FireEye researchers wrote in a blog post. “In addition to retirees, active military personnel use the VFW website. It is probably no coincidence that Monday, Feb. 17, is a U.S. holiday, and much of the U.S. Capitol shut down Thursday amid a severe winter storm.”

Key findings in the attack include:

• The vulnerability (CVE-2014-0322) is a previously unknown use-after-free vulnerability in Microsoft Internet Explorer 10.

Advertisement. Scroll to continue reading.

• Because the vulnerability allows attackers to modify memory to an arbitrary address, the attacker can use it to bypass ASLR. 

• Exploitation is aborted if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET).  

• The exploit dropped an XOR (0×95) payload that executed a ZxShell backdoor (MD5: 8455bbb9a210ce603a1b646b0d951bce).

• The compile date of the payload was 2014-02-11, and the last modified date of the exploit code was also 2014-02-11.

• The particular variant of the ZxShell backdoor called back to a command and control server located at newss[.]effers[.]com, which at the time of publishing resolves to 118.99.60.142. The domain info[.]flnet[.]org also resolved to this IP address on 2014-02-12.

The attackers have previously targeted a number of different industries, including U.S. government entities, Japanese firms, defense contractors, and others.

“The proven ability to successfully deploy a number of different private and public RATs using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term,” FireEye warned.

A FireEye spokesperson told SecurityWeek that the site is no longer infected and serving the exploit.

More information and details are available from FireEye.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.