News

FireEye finds active watering hole attack using IE zero-day exploit

Brandan Blevins, News Writer

Microsoft has confirmed a report that a newly uncovered Internet Explorer zero-day exploit is being utilized in an active attack campaign, with IE versions 9 and 10 said to be vulnerable.

In a blog

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

post, Milpitas, Calif.-based security vendor FireEye Inc. said the Internet Explorer (IE) zero day, CVE-2014-0322, is being deployed as a part of a watering hole attack, which typically involves the compromise of a specific website in order to target a group of visitors known to frequent it.

In this case, FireEye found the exploit is being served up through the U.S. Veterans of Foreign Wars' website, speculating that attackers are targeting members of the U.S. military ahead of the Presidents Day holiday.

The attack utilized the familiar technique of inserting an iFrame into the website's HTML code, which then loads a malicious webpage without the knowledge of the user. Once the zero-day is exploited through the attacker's webpage, the user will "download a XOR-encoded payload from a remote server, decode and execute it," according to FireEye.

In a statement to Ars Technica late Thursday, Microsoft confirmed the flaw in IE 10, as FireEye reported, as well as in IE 9.

Though FireEye's researchers redacted information relating to the destination of the malicious iFrame redirect, Aviv Raff, chief technology officer of Santa Clara, Calif.-based security vendor Seculert Ltd., provided a screenshot on Twitter that indicated aliststatus.com was being used to serve the exploit.

FireEye said the attackers utilized a previously undiscovered vulnerability known as the "use-after-free" bug, which allowed them to "modify one byte of memory at an arbitrary address." The vulnerability ultimately allowed them to bypass address space layout randomization (ASLR) by accessing the memory from Flash ActionScript.

Based on the tactics utilized in the attack, FireEye's researchers believe there is a connection to two campaigns they have previously identified: Operation DeputyDog and Operation Ephemeral Hydra. They have dubbed this attack campaign "Operation SnowMan."

To mitigate the IE zero-day exploit, there seem to be two options until Microsoft delivers a patch for vulnerable versions of the Web browser. The first is simply to upgrade Internet Explorer to version 11 or, where possible, use a different Web browser.

The other, according to FireEye, is to utilize Microsoft's Enhanced Mitigation Toolkit Experience (EMET).

"The attacker uses the Microsoft.XMLDOM ActiveX control to load a one-line XML string containing a file path to the EMET DLL," said FireEye researchers on the blog post. "Then the exploit code parses the error resulting from the XML load order to determine whether the load failed because the EMET DLL is not present. The exploit proceeds only if this check determines the EMET DLL is not present."