'Fix-it' shipped in the wake of at least two targeted attack campaigns exploiting a newly found bug in IE10

Microsoft has released a temporary workaround tool for a newly discovered zero-day flaw in Internet Explorer that has been spotted being abused in at least two targeted attack campaigns.

Two different cyberespionage attack groups have been seen exploiting the use-after-free bug in Internet Explorer 10 – IE9 also has the same bug – that lets attackers remotely run code via malicious JavaScript. Earlier versions of the browser don't contain the flaw.

"At this time, we are only aware of limited, targeted attacks against Internet Explorer 10. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message," said Dustin Childs, group manager of response communications for Microsoft's Trustworthy Computing group. The one-click Fix it released by Microsoft protects against the known attacks that exploit the bug, he said.

"Internet Explorer 11 is not affected by this issue, so upgrading to this version will also help protect customers from this issue," Childs said.

FireEye last Thursday warned of a new zero-day watering hole attack where the U.S. Veterans of Foreign Wars website was being used to serve up drive-by malware attacks. Dubbed "Operation Snowman" by FireEye, the targeted attack campaign employed malicious JavaScript and an iFrame targeting the zero-day IE bug. The malicious JavaScript code loads a Flash object that in turn infects the victim with a payload that downloads a backdoor ZxShell Trojan.

[Military personnel appear to be the targets of watering-hole attacks from a hacked VFW website. See Snowman Attack Campaign Targets IE10 Zero-Day Bug .]

Websense then revealed that they had seen another targeted attack by the same group and using the same 0day as in the VFW attack, but which began earlier, around January 20. The attack targeted a French aerospace association, Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS), by setting up a phony and malware-ridden website posing as GIFAS's legitimate site.

But yesterday, researchers at Seculert challenged Websense's theory that the two attacks were by the same group. Aviv Raff, CTO at Seculert, says his firm found a different exploit targeting GIFAS. "Our research shows that these are two different attacking groups, with two different targets," but both exploiting the same IE zero-day flaw, Raff says.

They have "almost identical elements of the exploit," he says, which indicates the two groups purchased the exploit from the same creator or seller. Both attacks have the earmarks of Chinese cyberespionage actors, he says.

"While the attack described by FireEye was a watering hole, the attack vector on the French company was probably a spear phishing email, because the attackers were using a fake website of GIFAS," Raff says. Raff says it is likely part of a broader campaign targeting the aerospace industry, but that the malware his firm found was customized to attack remote users at a specific multinational aircraft and rocket engine manufacturer, including its employees, partners and third-party vendors.

"Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer," Seculert wrote in a blog post describing the attack. "The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C)."

The command and control server and the exploit reside on the same server in the U.S. In addition, the malware comes with a valid digital certificate, from Micro Digital Inc.

There's been no indication publicly that the IE 0day has been commercialized for traditional cybercriminals just yet, but it's only a matter of time. "We haven't seen attackers incorporate the 0-day in exploit kits just yet. But, as we've seen with past 0-days, it shouldn't take them too long," Raff says.

Another Day, Another 0Day
Meanwhile, FireEye today disclosed details of yet another cyberespionage campaign using another zero-day flaw —this time in Adobe Flash. The so-called "Operation Greedywonk" is targeting U.S. think tank websites, and FireEye estimates that thousands of visitors to those sites have been infected.

Adobe today issued an out-of-band patch to fix flaws in Flash Player, including the bug used in the zero-day attacks in Operation Greedywonk.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights