Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

New IE 10 Zero-Day Used in Watering Hole Attack Targeting U.S. Military

Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website.

Dubbed “Operation SnowMan” by FireEye, the attack targets IE 10 with Adobe Flash.

Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website.

Dubbed “Operation SnowMan” by FireEye, the attack targets IE 10 with Adobe Flash.

FireEye believes the attackers behind the campaign, thought to be operating out of China, are associated with two previously identified campaigns: Operation DeputyDog and Operation Ephemeral Hydra.

According to FireEye, attackers compromised the VFW website and added an iframe to the site’s HTML code that loads the attacker’s page in the background. When the malicious code is loaded in the browser, it runs a Flash object that orchestrates the remainder of the exploit.

According to a recently-released report from CrowdStrike, Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China. The attack against the Council of Foreign Relations website in early 2013, which also compromised Capstone Turbine and Napteh Engineering & Development Co., involved three different adversaries using multiple types of malware, the report found. In March 2013, one of the attack groups compromised a Harvard University site targeting people who were concerned with military, international relations, and human rights issues in the Far East.

IE Zero Day

“A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,” FireEye researchers wrote in a blog post. “In addition to retirees, active military personnel use the VFW website. It is probably no coincidence that Monday, Feb. 17, is a U.S. holiday, and much of the U.S. Capitol shut down Thursday amid a severe winter storm.”

Key findings in the attack include:

• The vulnerability (CVE-2014-0322) is a previously unknown use-after-free vulnerability in Microsoft Internet Explorer 10.

Advertisement. Scroll to continue reading.

• Because the vulnerability allows attackers to modify memory to an arbitrary address, the attacker can use it to bypass ASLR. 

• Exploitation is aborted if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET).  

• The exploit dropped an XOR (0×95) payload that executed a ZxShell backdoor (MD5: 8455bbb9a210ce603a1b646b0d951bce).

• The compile date of the payload was 2014-02-11, and the last modified date of the exploit code was also 2014-02-11.

• The particular variant of the ZxShell backdoor called back to a command and control server located at newss[.]effers[.]com, which at the time of publishing resolves to 118.99.60.142. The domain info[.]flnet[.]org also resolved to this IP address on 2014-02-12.

The attackers have previously targeted a number of different industries, including U.S. government entities, Japanese firms, defense contractors, and others.

“The proven ability to successfully deploy a number of different private and public RATs using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term,” FireEye warned.

A FireEye spokesperson told SecurityWeek that the site is no longer infected and serving the exploit.

More information and details are available from FireEye.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.