Beware of a new watering-hole attack that targets a zero-day vulnerability in Internet Explorer 10. News of the vulnerability first surfaced Thursday, when security firm FireEye warned that, beginning on Tuesday, it had spotted drive-by attacks launched from the US Veterans of Foreign Wars (VFW) Website. FireEye said it's been working with Microsoft to investigate the attacks.

The gang behind what FireEye has dubbed the "Operation Snowman" attack campaign appears to have hacked into the VFW Website and altered its HTML code, including introducing JavaScript that creates a malicious iFrame that targets a never-before-seen use-after-free bug in the IE10 browser. The bug allows the attackers to bypass two defensive technologies -- address space layout randomization (ASLR) and data execution prevention (DEP) -- that are meant to lock down the browser against these types of attacks.

If the attack is successful, the malicious JavaScript routine loads a Flash object that drops a payload, which downloads a ZxShell backdoor onto the targeted PC. "Those looking after IE10 users may want to keep an eye on their proxy logs for the follow-on download as a potential indicator" of the attack, said SANS Internet Storm Center handler Chris Mohan in a blog post.

[Lock down your site with 3 Web Security Takeaways From Wikipedia's Near Miss.]

A VFW spokesperson contacted via email confirmed that the organization was aware of the hacking report, but wasn't immediately able to provide further details.

Security firm Symantec confirmed the attack. "Our initial analysis reveals that the Adobe Flash file contains shell code that appears to be targeting 32-bit versions of Windows 7 and Internet Explorer 10," according to a blog post from Symantec's security response team. "We have identified a backdoor being used in this attack that takes screenshots of the victim's desktop and allows the attacker to take control of the victim's computer."

A Microsoft spokesman didn't immediately respond to an emailed request for comment about the zero-day attack. But a Microsoft spokesman told Reuters that the company was aware of the "targeted" attacks and was investigating. "We will take action to help protect customers," spokesperson Scott Whiteaker said.

(Image: spencer77)

Until Microsoft releases a patch for the zero-day IE10 bug, users can protect themselves by upgrading their browser to IE11, or by installing the Microsoft EMET security utility. "The exploit targets IE10 with Adobe Flash," said FireEye. "It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft's Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE11 prevents this exploit from functioning."

FireEye said that the timing of the attack appears to have been designed to capitalize on the recent bad weather that's hit Washington and beyond. "We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the US Capitol in the days leading up to the Presidents Day holiday weekend."

Timing-wise, the ZxShell file used in the attack appears to have been first compiled -- and last modified -- on Tuesday. "This suggests that this instantiation of the exploit was very recent and was deployed for this specific strategic Web compromise of the Veterans of Foreign Wars website," said FireEye. "A possible objective in the Snowman attack is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website."

In other words, the ultimate aim of the Snowman attackers might be to steal US military secrets, and the tools used in the attack further back up that theory. "The ZxShell backdoor is a widely used and publicly available tool used by multiple threat actors linked to cyber espionage operations," said FireEye.

The command-and-control (C&C) server used to control attackers' ZxShell variant "phones home" to an IP address that's been tied to at least two previous advanced persistent threat (APT) attack campaigns: DeputyDog, which was discovered in September 2013 and targeted organizations in Japan, and Ephemeral Hydra, which was discovered in November. FireEye said that the attack strategy and exploitation techniques used for Operation Snowman, including the code contained inside the malicious Flash files, shared a number of similarities with those two previous campaigns as well.

According to FireEye, those three campaigns also appear tied to the spring 2013 hack of security vendor Bit9. That breach was blamed on a Chinese espionage group that security researchers have dubbed "Hidden Lynx."

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.