New IE 0-Day Used in Watering Hole Attack

New IE 0-Day Used in Watering Hole Attack
New IE 0-Day Used in Watering Hole Attack

FireEye discovered the exploit (CVE-2014-0322) on 11 February. (Websense has since said it has been tracking it since 20 January.) On vfw.org the attackers inserted an iframe that loaded the attacker's own page in the background. This then ran a Flash object that orchestrated the remainder of the exploit.

"The exploit targets IE 10 with Adobe Flash," reports FireEye, but aborts "if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET)." Microsoft has since confirmed the existence of the flaw, but added that it also affects IE9. Both FireEye and Microsoft recommend upgrading to IE11 which is not affected.

It is a classic watering hole attack dubbed Operation SnowMan by FireEye (who suspects that its use during bad weather conditions in the US is not simple coincidence). "A possible objective in the SnowMan attack," say the researchers, "is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website."

Similarities between this attack and the DeputyDog and Ephemeral Hydra campaigns suggest that the same actors are behind all three campaigns. Similarities include the use of a Flash file to orchestrate the exploit, the way the Flash file is used, and identical functions with common typos. Those actors have previously targeted US government entities, Japanese firms, defense companies, law firms, IT companies, mining companies and NGOs.

For this reason, their "proven ability to successfully deploy a number of different private and public RATs using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term." As if to immediately prove this point, Websense announced shortly afterwards that it had "discovered the use of CVE-2014-0322 as early as January 20, 2014 - nearly 3 weeks before the previously known first date of the attacks." It also added, "Early analysis indicates correlations between this attack and the DeputyDog and EphemeralHydra groups."

The Websense observation is not of a compromised legitimate site, but of a malicious typosquatting site (gifas.assso.net, apparently meant to look like gifas.asso.fr); which seems to suggest that the French aerospace industry is being targeted. Websense adds, however, "The similarities in the exploit, delivery and search for the EMET.DLL indicate that the same group of threat actors is most likely behind the malicious URL above and the attacks that have been covered by FireEye."

In both cases the purpose is to compromise visiting individuals who might be able to provide actual information, or the credentials necessary to break into US military or French aerospace networks.

What’s Hot on Infosecurity Magazine?