Attacks/Breaches
2/14/2014
10:58 AM
50%
50%

Snowman Attack Campaign Targets IE10 Zero-Day Bug

Military personnel appear to be the targets of watering-hole attacks from a hacked VFW website.

Beware of a new watering-hole attack that targets a zero-day vulnerability in Internet Explorer 10. News of the vulnerability first surfaced Thursday, when security firm FireEye warned that, beginning on Tuesday, it had spotted drive-by attacks launched from the US Veterans of Foreign Wars (VFW) Website. FireEye said it's been working with Microsoft to investigate the attacks.

The gang behind what FireEye has dubbed the "Operation Snowman" attack campaign appears to have hacked into the VFW Website and altered its HTML code, including introducing JavaScript that creates a malicious iFrame that targets a never-before-seen use-after-free bug in the IE10 browser. The bug allows the attackers to bypass two defensive technologies -- address space layout randomization (ASLR) and data execution prevention (DEP) -- that are meant to lock down the browser against these types of attacks.

If the attack is successful, the malicious JavaScript routine loads a Flash object that drops a payload, which downloads a ZxShell backdoor onto the targeted PC. "Those looking after IE10 users may want to keep an eye on their proxy logs for the follow-on download as a potential indicator" of the attack, said SANS Internet Storm Center handler Chris Mohan in a blog post.

[Lock down your site with 3 Web Security Takeaways From Wikipedia's Near Miss.]

A VFW spokesperson contacted via email confirmed that the organization was aware of the hacking report, but wasn't immediately able to provide further details.

Security firm Symantec confirmed the attack. "Our initial analysis reveals that the Adobe Flash file contains shell code that appears to be targeting 32-bit versions of Windows 7 and Internet Explorer 10," according to a blog post from Symantec's security response team. "We have identified a backdoor being used in this attack that takes screenshots of the victim's desktop and allows the attacker to take control of the victim's computer."

A Microsoft spokesman didn't immediately respond to an emailed request for comment about the zero-day attack. But a Microsoft spokesman told Reuters that the company was aware of the "targeted" attacks and was investigating. "We will take action to help protect customers," spokesperson Scott Whiteaker said.

(Image: spencer77)
(Image: spencer77)

Until Microsoft releases a patch for the zero-day IE10 bug, users can protect themselves by upgrading their browser to IE11, or by installing the Microsoft EMET security utility. "The exploit targets IE10 with Adobe Flash," said FireEye. "It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft's Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE11 prevents this exploit from functioning."

FireEye said that the timing of the attack appears to have been designed to capitalize on the recent bad weather that's hit Washington and beyond. "We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the US Capitol in the days leading up to the Presidents Day holiday weekend."

Timing-wise, the ZxShell file used in the attack appears to have been first compiled -- and last modified -- on Tuesday. "This suggests that this instantiation of the exploit was very recent and was deployed for this specific strategic Web compromise of the Veterans of Foreign Wars website," said FireEye. "A possible objective in the Snowman attack is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website."

In other words, the ultimate aim of the Snowman attackers might be to steal US military secrets, and the tools used in the attack further back up that theory. "The ZxShell backdoor is a widely used and publicly available tool used by multiple threat actors linked to cyber espionage operations," said FireEye.

The command-and-control (C&C) server used to control attackers' ZxShell variant "phones home" to an IP address that's been tied to at least two previous advanced persistent threat (APT) attack campaigns: DeputyDog, which was discovered in September 2013 and targeted organizations in Japan, and Ephemeral Hydra, which was discovered in November. FireEye said that the attack strategy and exploitation techniques used for Operation Snowman, including the code contained inside the malicious Flash files, shared a number of similarities with those two previous campaigns as well.

According to FireEye, those three campaigns also appear tied to the spring 2013 hack of security vendor Bit9. That breach was blamed on a Chinese espionage group that security researchers have dubbed "Hidden Lynx."

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/14/2014 | 11:46:54 AM
IE preferred browser?
Given that the attackers hope victims will be working on sensitive data on the infected computers, that implies they think these will be work devices, not personal. What browser does the Pentagon standardize on? It doesn't seem like IE is a smart choice.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/18/2014 | 10:05:02 AM
Update to story: IE9 and IE10 affected
The VFW issued a statement Friday confirming that its site was hacked:

On February 12, the VFW National Headquarters was notified of a unique and evolved attack on its website. The attackers were able to breach several layers of VFW cyber-security software, installing malicious code that would prompt a malware download to the computers of visitors to vfw.org using Internet Explorer 9 or 10. VFW immediately identified the threat and rectified the code. At this point, there is no indication that any member or donor data was compromised. VFW is currently working with federal law enforcement and a computer security incident response team to locate the source of the attack and determine the extent of the event.

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.