Over the weekend, FireEye researchers have managed to shed some light on the in-the-wild attacks leveraging the latest discovered Internet Explorer zero-day vulnerability (CVE-2013-3893), and have tracked it back to the Chinese hacking group that hit Bit9 earlier this year.
According to their research, the campaign – dubbed DeputyDog – has been targeting Japanese organizations since August August 19, 2013, and the attackers have been using a C&C infrastructure that is related to the infrastructure used in the attack on Bit9:
Some of the malware samples that they have discovered and analyzed have been compiled on August 19. As a reminder: Microsoft has issued a Fix it for the vulnerability on September 17, and has confirmed that it affects all supported versions of Internet Explorer.
They have still not confirmed when a security update fixing the flaw will be released. The next one is Patch Tuesday is scheduled for October 8, so it remains to hope that Microsoft will consider the issuing of an out-of-band patch.
In the meantime, SANS’ Internet Storm Center has reacted by raising their official threat level to “yellow”, following “increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505”.
“There is some indication that a weaponized exploit may be in broader circulation now, so expect this to ramp up quickly,” commented ISC handler Russ McRee, adding that Rapid 7 is also likely to release a Metasploit exploit for the flaw soon.
“The simplest way to avoid this risk is to use a browser other than Internet Explorer,” pointed out Ross Barrett, senior manager of security engineering at Rapid7. “Users who must use Internet Explorer should install all available Internet Explorer patches, and only use the latest versions available. Neither of those things will directly help with this specific issue, but are good practices and pre-requisites for the following actions to be at all effective.”
“To mitigate the risk of exploitation from this issue, install EMET 4.0, configure it to force ASLR, and enable a number of heap spraying and ROP protections. Additionally, there is a “fixit” available from Microsoft which will attempt to modify the system to prevent exploitation,” he concluded.