"At this time, we are only aware of limited, targeted attacks against Internet Explorer 10. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message," said Dustin Childs, group manager of response communications for Microsoft's Trustworthy Computing group. The one-click Fix it released by Microsoft protects against the known attacks that exploit the bug, he said.
"Internet Explorer 11 is not affected by this issue, so upgrading to this version will also help protect customers from this issue," Childs said.
[Military personnel appear to be the targets of watering-hole attacks from a hacked VFW website. See Snowman Attack Campaign Targets IE10 Zero-Day Bug .]
Websense then revealed that they had seen another targeted attack by the same group and using the same 0day as in the VFW attack, but which began earlier, around January 20. The attack targeted a French aerospace association, Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS), by setting up a phony and malware-ridden website posing as GIFAS's legitimate site.
But yesterday, researchers at Seculert challenged Websense's theory that the two attacks were by the same group. Aviv Raff, CTO at Seculert, says his firm found a different exploit targeting GIFAS. "Our research shows that these are two different attacking groups, with two different targets," but both exploiting the same IE zero-day flaw, Raff says.
They have "almost identical elements of the exploit," he says, which indicates the two groups purchased the exploit from the same creator or seller. Both attacks have the earmarks of Chinese cyberespionage actors, he says.
"While the attack described by FireEye was a watering hole, the attack vector on the French company was probably a spear phishing email, because the attackers were using a fake website of GIFAS," Raff says. Raff says it is likely part of a broader campaign targeting the aerospace industry, but that the malware his firm found was customized to attack remote users at a specific multinational aircraft and rocket engine manufacturer, including its employees, partners and third-party vendors.
"Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer," Seculert wrote in a blog post describing the attack. "The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C)."
The command and control server and the exploit reside on the same server in the U.S. In addition, the malware comes with a valid digital certificate, from Micro Digital Inc.
There's been no indication publicly that the IE 0day has been commercialized for traditional cybercriminals just yet, but it's only a matter of time. "We haven't seen attackers incorporate the 0-day in exploit kits just yet. But, as we've seen with past 0-days, it shouldn't take them too long," Raff says.
Another Day, Another 0Day
Meanwhile, FireEye today disclosed details of yet another cyberespionage campaign using another zero-day flaw —this time in Adobe Flash. The so-called "Operation Greedywonk" is targeting U.S. think tank websites, and FireEye estimates that thousands of visitors to those sites have been infected.
Adobe today issued an out-of-band patch to fix flaws in Flash Player 220.127.116.11, including the bug used in the zero-day attacks in Operation Greedywonk.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.