On 17 September Microsoft issued its warning against an actively exploited vulnerability (CVE-2013-3893) in all supported versions of Internet Explorer; and issued an emergency Fix it for users pending the release of a formal patch. The patch is expected to be issued within the next two weeks as an out-of-band update.
On the same day Symantec published details on the hacking group it has called Hidden Lynx, which it describes as "best of breed" with "a hunger and drive that surpass other well-known groups such as APT1/Comment Crew." In particular, it laid blame for the Bit9 hack of last year on this group of hackers.
Now new research from FireEye has also linked the new IE 0-day attacks to the same Hidden Lynx hackers. Although FireEye does not mention the group by name, it suggests that the current campaign (which it dubs Operation DeputyDog after a string found in the exploit) is directed by the same actors as those behind the Bit9 hack; that is, Hidden Lynx.
According to Bit9, says FireEye, one of the rootkit variants used against it connected to the known malicious yahooeast [dot] net domain. "The domain yahooeast[.]net", says FireEye, "was registered to 654@123.com. This email address was also used to register blankchair[.]com... and has been already correlated back to the attack leveraging the CVE-2013-3893 zero-day vulnerability." This may not be absolute proof that Hidden Lynx is behind the new campaign, but it is a fair indication – and would also explain the urgency of Microsoft's warning.
FireEye has confirmed reports that the campaign targeted entities in Japan. It found the payload delivered by the campaign hosted on a server in Hong Kong, which in turn instructs the browser to fetch a secondary payload on a server in South Korea.
The campaign itself seems to be a waterhole attack using Japanese media outlets. According to a report in Kaspersky's ThreatPost, the attackers "have compromised several popular local Japanese media outlets and have infected systems belonging to government, high tech and manufacturing organizations in Japan." ThreatPost also reports that although FireEye has been liaising with the Japanese CERT, "It is unclear whether the sites used in the watering hole attack have been cleaned up."
It is important, therefore, that all Internet Explorer users make us of the Microsoft Fix it to protect themselves as soon as possible.