Websense is a member of the Microsoft Active Protections Program (MAPP) which provides early warning on vulnerabilities so that security firms can apply protection as early as possible. This data enabled Websense to detect and track an instance of CVE-2013-3897 being exploited in the wild, and from that determine both the source of the attacks and the geographic location of the targets.
While Trustwave, who first detected and reported the vulnerability to Microsoft, had seen it being targeted against Japanese and Korean users, Websense has seen it "used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States" from as early as September 18th, 2013. Websense also notes that the servers delivering the attack have IP addresses in a network range geolocated in the South Korea – and probably situate in Seoul.
The apparent surprise addition of the US as a target area is possibly explained because while the vulnerability is new, the campaign is not. "Websense telemetry indicates that the attack campaign using the same infrastructure and the exploit (CVE-2012-4792) began as early as August 23rd 2013 before transitioning to CVE-2013-3897 in mid-September," writes Websense. According to the company, as much as 50% of the targets for the overall campaign are located in the US, with 33% in Korea and 17% in Hong Kong.
Meanwhile, Trustwave has released further details of its own, including a detailed analysis of how the exploit works. It also points to certain similarities between both new vulnerabilities, CVE-2013-3893 and CVE-2013-3897, fixed by Microsoft. Users will immediately notice a surprising coincidence in two zero-day vulnerabilities emerging at around the same time and targeting broadly similar geographic regions. Now Trustwave also highlights additional internal technical similarities in the exploits.
"The two zero-day exploits use the same technique in order to control the victim EIP – both append a heap-address value to the title attribute of div elements created inside an array context," it explains. "Using this technique the attacker can override 'freed' memory with predefined heap memory address (pointing to the malicious shellcode) which can later be called by EIP."
But there is a huge difference in the shellcode used in the attacks, and the payloads delivered, indicating two separate campaigns by two separate actors. "All of this may suggest," posits Trustwave, "that the two exploits were written and/or sold by the same cybercriminal group to a different criminal identity that used the zero-days for completely different purposes."