Last week a U.S. Department of Labor website was discovered to be redirecting users to sites serving a hard-to-detect variant Poison Ivy backdoor Trojan. Researchers are now saying that the exploit used was one taking advantage of a previously unknown and currently unpatched Internet Explorer 8 remote code execution vulnerability.
Microsoft confirmed the existence of the vulnerability on Friday, saying that it only affected IE8 on Windows XP and possibly IE8 on Windows 7. IE 6,7, 9 and 10 are not affected, and users who can are advised to upgrade to one of the last two versions until the flaw is patched.
Those who don’t can mitigate it by setting Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones, and by configuring IE to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
The booby-trapped site was the DoL’s “Site Exposure Matrices” website, and contains information about illnesses related to exposure to toxic substances and radiation. According to Alien Vault researchers, at least 9 other websites (acting as “watering holes”) were redirecting visitors to the malicious server at the same time.
“The list of affected sites includes several non-profit groups and institutes as well as a big european company that plays on the aerospace, defense and security markets,” they pointed out, and added that the server serving the malicious payloads has been linked to previous attacks by a known Chinese cyber espionage group called “DeepPanda.”
If you think that you are probably safe because you aren’t the right target for such a campaign, be aware that the exploit will surely be soon replicated by other malicious actors and used for other types of attacks, so updating to IE 9 or 10 is definitely recommended.
UPDATE: A Metaspolit module exploiting the vulnerability has been released, so it’s just a matter of days until the exploit is integrated in a popular exploit kit.