Attacks/Breaches

2/14/2014
10:58 AM
50%
50%

Snowman Attack Campaign Targets IE10 Zero-Day Bug

Military personnel appear to be the targets of watering-hole attacks from a hacked VFW website.

Beware of a new watering-hole attack that targets a zero-day vulnerability in Internet Explorer 10. News of the vulnerability first surfaced Thursday, when security firm FireEye warned that, beginning on Tuesday, it had spotted drive-by attacks launched from the US Veterans of Foreign Wars (VFW) Website. FireEye said it's been working with Microsoft to investigate the attacks.

The gang behind what FireEye has dubbed the "Operation Snowman" attack campaign appears to have hacked into the VFW Website and altered its HTML code, including introducing JavaScript that creates a malicious iFrame that targets a never-before-seen use-after-free bug in the IE10 browser. The bug allows the attackers to bypass two defensive technologies -- address space layout randomization (ASLR) and data execution prevention (DEP) -- that are meant to lock down the browser against these types of attacks.

If the attack is successful, the malicious JavaScript routine loads a Flash object that drops a payload, which downloads a ZxShell backdoor onto the targeted PC. "Those looking after IE10 users may want to keep an eye on their proxy logs for the follow-on download as a potential indicator" of the attack, said SANS Internet Storm Center handler Chris Mohan in a blog post.

[Lock down your site with 3 Web Security Takeaways From Wikipedia's Near Miss.]

A VFW spokesperson contacted via email confirmed that the organization was aware of the hacking report, but wasn't immediately able to provide further details.

Security firm Symantec confirmed the attack. "Our initial analysis reveals that the Adobe Flash file contains shell code that appears to be targeting 32-bit versions of Windows 7 and Internet Explorer 10," according to a blog post from Symantec's security response team. "We have identified a backdoor being used in this attack that takes screenshots of the victim's desktop and allows the attacker to take control of the victim's computer."

A Microsoft spokesman didn't immediately respond to an emailed request for comment about the zero-day attack. But a Microsoft spokesman told Reuters that the company was aware of the "targeted" attacks and was investigating. "We will take action to help protect customers," spokesperson Scott Whiteaker said.

(Image: spencer77)
(Image: spencer77)

Until Microsoft releases a patch for the zero-day IE10 bug, users can protect themselves by upgrading their browser to IE11, or by installing the Microsoft EMET security utility. "The exploit targets IE10 with Adobe Flash," said FireEye. "It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft's Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE11 prevents this exploit from functioning."

FireEye said that the timing of the attack appears to have been designed to capitalize on the recent bad weather that's hit Washington and beyond. "We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the US Capitol in the days leading up to the Presidents Day holiday weekend."

Timing-wise, the ZxShell file used in the attack appears to have been first compiled -- and last modified -- on Tuesday. "This suggests that this instantiation of the exploit was very recent and was deployed for this specific strategic Web compromise of the Veterans of Foreign Wars website," said FireEye. "A possible objective in the Snowman attack is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website."

In other words, the ultimate aim of the Snowman attackers might be to steal US military secrets, and the tools used in the attack further back up that theory. "The ZxShell backdoor is a widely used and publicly available tool used by multiple threat actors linked to cyber espionage operations," said FireEye.

The command-and-control (C&C) server used to control attackers' ZxShell variant "phones home" to an IP address that's been tied to at least two previous advanced persistent threat (APT) attack campaigns: DeputyDog, which was discovered in September 2013 and targeted organizations in Japan, and Ephemeral Hydra, which was discovered in November. FireEye said that the attack strategy and exploitation techniques used for Operation Snowman, including the code contained inside the malicious Flash files, shared a number of similarities with those two previous campaigns as well.

According to FireEye, those three campaigns also appear tied to the spring 2013 hack of security vendor Bit9. That breach was blamed on a Chinese espionage group that security researchers have dubbed "Hidden Lynx."

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/18/2014 | 10:05:02 AM
Update to story: IE9 and IE10 affected
The VFW issued a statement Friday confirming that its site was hacked:

On February 12, the VFW National Headquarters was notified of a unique and evolved attack on its website. The attackers were able to breach several layers of VFW cyber-security software, installing malicious code that would prompt a malware download to the computers of visitors to vfw.org using Internet Explorer 9 or 10. VFW immediately identified the threat and rectified the code. At this point, there is no indication that any member or donor data was compromised. VFW is currently working with federal law enforcement and a computer security incident response team to locate the source of the attack and determine the extent of the event.

Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/14/2014 | 11:46:54 AM
IE preferred browser?
Given that the attackers hope victims will be working on sensitive data on the infected computers, that implies they think these will be work devices, not personal. What browser does the Pentagon standardize on? It doesn't seem like IE is a smart choice.
Game Change: Meet the Mach37 Fall Startups
Ericka Chickowski, Contributing Writer, Dark Reading,  10/18/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.