Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Internet Explorer Zero-Day Exploited in Watering Hole Attack Campaign

Attackers are targeting a zero-day vulnerability in Microsoft Internet Explorer in a campaign that has hit as many as 10 different websites, including the U.S. Department of Labor site.

Attackers are targeting a zero-day vulnerability in Microsoft Internet Explorer in a campaign that has hit as many as 10 different websites, including the U.S. Department of Labor site.

Originally thought to be exploiting CVE-2012-4792, the attackers are now known to be targeting a previously unknown vulnerability in certain versions of IE. According to Microsoft, the vulnerability affects Internet Explorer 8, and IE 6, 7, 9 and 10 are not impacted.

“This is a remote code execution vulnerability,” Microsoft explained in an advisory. “The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,” according to the advisory.

According to AlienVault, the list of affected sites spans from the Department of Labor site to sites belonging to several non-profit groups and institutes as well as a European company involved in the aerospace, defense and security industries.

Researchers from CrowdStrike said the attack campaign may have begun in mid-March. Their analysis of logs from the malicious infrastructure used in this campaign showed the IP addresses of the visitors to the compromised sites belonged to 37 different countries.

 “The legitimate sites compromised to deliver malicious code in this campaign give an indication into targets of interest,” blogged Matt Dahl, senior threat researcher at CrowdStrike. “The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium. Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector.”

“Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector,” he blogged.

Microsoft urged anyone worried about the attack to upgrade to the most current versions of the browser, which are not vulnerable to the attack.

“We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders,” blogged Dustin Childs, group manager for response communications for trustworthy computing at Microsoft.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.