Attacks/Breaches
2/14/2014
10:58 AM
Connect Directly
RSS
E-Mail
50%
50%

Snowman Attack Campaign Targets IE10 Zero-Day Bug

Military personnel appear to be the targets of watering-hole attacks from a hacked VFW website.

Beware of a new watering-hole attack that targets a zero-day vulnerability in Internet Explorer 10. News of the vulnerability first surfaced Thursday, when security firm FireEye warned that, beginning on Tuesday, it had spotted drive-by attacks launched from the US Veterans of Foreign Wars (VFW) Website. FireEye said it's been working with Microsoft to investigate the attacks.

The gang behind what FireEye has dubbed the "Operation Snowman" attack campaign appears to have hacked into the VFW Website and altered its HTML code, including introducing JavaScript that creates a malicious iFrame that targets a never-before-seen use-after-free bug in the IE10 browser. The bug allows the attackers to bypass two defensive technologies -- address space layout randomization (ASLR) and data execution prevention (DEP) -- that are meant to lock down the browser against these types of attacks.

If the attack is successful, the malicious JavaScript routine loads a Flash object that drops a payload, which downloads a ZxShell backdoor onto the targeted PC. "Those looking after IE10 users may want to keep an eye on their proxy logs for the follow-on download as a potential indicator" of the attack, said SANS Internet Storm Center handler Chris Mohan in a blog post.

[Lock down your site with 3 Web Security Takeaways From Wikipedia's Near Miss.]

A VFW spokesperson contacted via email confirmed that the organization was aware of the hacking report, but wasn't immediately able to provide further details.

Security firm Symantec confirmed the attack. "Our initial analysis reveals that the Adobe Flash file contains shell code that appears to be targeting 32-bit versions of Windows 7 and Internet Explorer 10," according to a blog post from Symantec's security response team. "We have identified a backdoor being used in this attack that takes screenshots of the victim's desktop and allows the attacker to take control of the victim's computer."

A Microsoft spokesman didn't immediately respond to an emailed request for comment about the zero-day attack. But a Microsoft spokesman told Reuters that the company was aware of the "targeted" attacks and was investigating. "We will take action to help protect customers," spokesperson Scott Whiteaker said.

(Image: spencer77)
(Image: spencer77)

Until Microsoft releases a patch for the zero-day IE10 bug, users can protect themselves by upgrading their browser to IE11, or by installing the Microsoft EMET security utility. "The exploit targets IE10 with Adobe Flash," said FireEye. "It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft's Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE11 prevents this exploit from functioning."

FireEye said that the timing of the attack appears to have been designed to capitalize on the recent bad weather that's hit Washington and beyond. "We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the US Capitol in the days leading up to the Presidents Day holiday weekend."

Timing-wise, the ZxShell file used in the attack appears to have been first compiled -- and last modified -- on Tuesday. "This suggests that this instantiation of the exploit was very recent and was deployed for this specific strategic Web compromise of the Veterans of Foreign Wars website," said FireEye. "A possible objective in the Snowman attack is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website."

In other words, the ultimate aim of the Snowman attackers might be to steal US military secrets, and the tools used in the attack further back up that theory. "The ZxShell backdoor is a widely used and publicly available tool used by multiple threat actors linked to cyber espionage operations," said FireEye.

The command-and-control (C&C) server used to control attackers' ZxShell variant "phones home" to an IP address that's been tied to at least two previous advanced persistent threat (APT) attack campaigns: DeputyDog, which was discovered in September 2013 and targeted organizations in Japan, and Ephemeral Hydra, which was discovered in November. FireEye said that the attack strategy and exploitation techniques used for Operation Snowman, including the code contained inside the malicious Flash files, shared a number of similarities with those two previous campaigns as well.

According to FireEye, those three campaigns also appear tied to the spring 2013 hack of security vendor Bit9. That breach was blamed on a Chinese espionage group that security researchers have dubbed "Hidden Lynx."

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/14/2014 | 11:46:54 AM
IE preferred browser?
Given that the attackers hope victims will be working on sensitive data on the infected computers, that implies they think these will be work devices, not personal. What browser does the Pentagon standardize on? It doesn't seem like IE is a smart choice.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/18/2014 | 10:05:02 AM
Update to story: IE9 and IE10 affected
The VFW issued a statement Friday confirming that its site was hacked:

On February 12, the VFW National Headquarters was notified of a unique and evolved attack on its website. The attackers were able to breach several layers of VFW cyber-security software, installing malicious code that would prompt a malware download to the computers of visitors to vfw.org using Internet Explorer 9 or 10. VFW immediately identified the threat and rectified the code. At this point, there is no indication that any member or donor data was compromised. VFW is currently working with federal law enforcement and a computer security incident response team to locate the source of the attack and determine the extent of the event.

Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.