The discovered attack appears to have been a water hole attack linked to the Elderwood project, using the Council on Foreign Relations (CFR) website. Water hole attacks first locate and compromise a site likely to be of interest to the intended targets, and then wait for those targets to come visiting. In this instance a 0-day vulnerability affecting Internet Explorer versions 6 to 8 was exploited to infect susceptible visitors. There is some suggestion that the targets include Chinese dissidents. Although the infected website is in New York, the exploit only triggers if the visiting browser is Chinese, Chinese (Taiwan), Japanese, Korean, or Russian.
“The vulnerability present in Internet Explore 8 seems to be a user-after-free,” explains Jaime Blasco of AlienVault. “The exploit is able to exploit both Windows XP and Windows 7 bypassing both data execution (DEP) and address space layout randomization (ASLR) protections.” IE9 and 10 users are not vulnerable. If the exploit code is successful and a payload is implanted on the target, it attempts to connect to a C&C server that can download further malware.
Although the discovered attack targeted a specific website, other users of the vulnerable IE versions should not ignore the threat. “There is now a Metasploit module (ie_cdwnbindinfo_uaf) that emulates this attack,” warns the Internet Storm Center, “meaning this will move in to mainstream exploitation rapidly, thus mitigation steps should be taken so soon as possible.” The best protection against exploits for this vulnerability, suggests Microsoft, is for the vulnerable code to not be present. Internet Explorer 9 or 10 do not include the vulnerable code. Where possible, then, the solution should be to upgrade to IE9 or IE10 as soon as possible.
Where this is not possible – either through company policy or use of Windows XP which does not support IE9 or IE10 – users should apply the Microsoft Fix-it, or switch to a different browser. “If you are using IE9 or IE10, today is your lucky day, because you are not vulnerable to this. For those who are using older versions of IE such as 8 -- what's the matter with you?” comments sinn3r in the Rapid7 Metasploit blog.