Jump to content
Fi8sVrs

IE 0-day used in watering hole attack tied to previous campaigns

Recommended Posts

  • Active Members
Posted

An Internet Explorer zero-day vulnerability (CVE-2014-0322) is actively exploited in the wild in a watering-hole attack targeting visitors to the official website of the U.S. Veterans of Foreign Wars, FireEye researchers warned on Thursday.

attack.jpg

"It’s a brand new zero-day that targets IE 10 users visiting the compromised website – a classic drive-by download attack. Upon successful exploitation, this zero-day attack will download a XOR encoded payload from a remote server, decode and execute it," they explained.

"We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns (Operation DeputyDog and Operation Ephemeral Hydra)," they added in an later blog post.

This new campaign has been dubbed "Operation SnowMan," and the similarities with the aforementioned earlier campaigns are many: exploitation of an IE zero-day, delivery of remote access Trojan (Gh0st RAT), "watering hole" exploit delivery method, related C&C infrastructure, the use of a simple single-byte XOR encoded (0×95) payload obfuscated with a .jpg extension.

"The exploit targets IE 10 with Adobe Flash. It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET)," they shared, and pointed out that installing EMET or updating to IE 11 are perfect mitigation measures.

It is believed that the same actors have likely orchestrated all these campaigns. So far, the targets were US government agencies, defense companies, IT and law firms, NGOs, mining companies, so it's safe to say they were cyber espionage campaigns geared at stealing confidential information.

Websense researchers say they have discovered the use of this same vulnerability as early as January 20, 2014 (FireEye detected the exploit on February 11), and that the targets were the visitors to a fake site mimicking that of the French aerospace association GIFAS, which includes contractors and firms in both the military and civilian aircraft industry.

Again, the similarities between Operation SnowMan and this campaign aimed at GIFAS members are many, giving rise to the belief that the actors behind them are the same ones.

Via IE 0-day used in watering hole attack tied to previous campaigns

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...