Attacks/Breaches
2/14/2014
10:58 AM
50%
50%

Snowman Attack Campaign Targets IE10 Zero-Day Bug

Military personnel appear to be the targets of watering-hole attacks from a hacked VFW website.

Beware of a new watering-hole attack that targets a zero-day vulnerability in Internet Explorer 10. News of the vulnerability first surfaced Thursday, when security firm FireEye warned that, beginning on Tuesday, it had spotted drive-by attacks launched from the US Veterans of Foreign Wars (VFW) Website. FireEye said it's been working with Microsoft to investigate the attacks.

The gang behind what FireEye has dubbed the "Operation Snowman" attack campaign appears to have hacked into the VFW Website and altered its HTML code, including introducing JavaScript that creates a malicious iFrame that targets a never-before-seen use-after-free bug in the IE10 browser. The bug allows the attackers to bypass two defensive technologies -- address space layout randomization (ASLR) and data execution prevention (DEP) -- that are meant to lock down the browser against these types of attacks.

If the attack is successful, the malicious JavaScript routine loads a Flash object that drops a payload, which downloads a ZxShell backdoor onto the targeted PC. "Those looking after IE10 users may want to keep an eye on their proxy logs for the follow-on download as a potential indicator" of the attack, said SANS Internet Storm Center handler Chris Mohan in a blog post.

[Lock down your site with 3 Web Security Takeaways From Wikipedia's Near Miss.]

A VFW spokesperson contacted via email confirmed that the organization was aware of the hacking report, but wasn't immediately able to provide further details.

Security firm Symantec confirmed the attack. "Our initial analysis reveals that the Adobe Flash file contains shell code that appears to be targeting 32-bit versions of Windows 7 and Internet Explorer 10," according to a blog post from Symantec's security response team. "We have identified a backdoor being used in this attack that takes screenshots of the victim's desktop and allows the attacker to take control of the victim's computer."

A Microsoft spokesman didn't immediately respond to an emailed request for comment about the zero-day attack. But a Microsoft spokesman told Reuters that the company was aware of the "targeted" attacks and was investigating. "We will take action to help protect customers," spokesperson Scott Whiteaker said.

(Image: spencer77)
(Image: spencer77)

Until Microsoft releases a patch for the zero-day IE10 bug, users can protect themselves by upgrading their browser to IE11, or by installing the Microsoft EMET security utility. "The exploit targets IE10 with Adobe Flash," said FireEye. "It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft's Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE11 prevents this exploit from functioning."

FireEye said that the timing of the attack appears to have been designed to capitalize on the recent bad weather that's hit Washington and beyond. "We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the US Capitol in the days leading up to the Presidents Day holiday weekend."

Timing-wise, the ZxShell file used in the attack appears to have been first compiled -- and last modified -- on Tuesday. "This suggests that this instantiation of the exploit was very recent and was deployed for this specific strategic Web compromise of the Veterans of Foreign Wars website," said FireEye. "A possible objective in the Snowman attack is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website."

In other words, the ultimate aim of the Snowman attackers might be to steal US military secrets, and the tools used in the attack further back up that theory. "The ZxShell backdoor is a widely used and publicly available tool used by multiple threat actors linked to cyber espionage operations," said FireEye.

The command-and-control (C&C) server used to control attackers' ZxShell variant "phones home" to an IP address that's been tied to at least two previous advanced persistent threat (APT) attack campaigns: DeputyDog, which was discovered in September 2013 and targeted organizations in Japan, and Ephemeral Hydra, which was discovered in November. FireEye said that the attack strategy and exploitation techniques used for Operation Snowman, including the code contained inside the malicious Flash files, shared a number of similarities with those two previous campaigns as well.

According to FireEye, those three campaigns also appear tied to the spring 2013 hack of security vendor Bit9. That breach was blamed on a Chinese espionage group that security researchers have dubbed "Hidden Lynx."

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/14/2014 | 11:46:54 AM
IE preferred browser?
Given that the attackers hope victims will be working on sensitive data on the infected computers, that implies they think these will be work devices, not personal. What browser does the Pentagon standardize on? It doesn't seem like IE is a smart choice.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/18/2014 | 10:05:02 AM
Update to story: IE9 and IE10 affected
The VFW issued a statement Friday confirming that its site was hacked:

On February 12, the VFW National Headquarters was notified of a unique and evolved attack on its website. The attackers were able to breach several layers of VFW cyber-security software, installing malicious code that would prompt a malware download to the computers of visitors to vfw.org using Internet Explorer 9 or 10. VFW immediately identified the threat and rectified the code. At this point, there is no indication that any member or donor data was compromised. VFW is currently working with federal law enforcement and a computer security incident response team to locate the source of the attack and determine the extent of the event.

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?