While Microsoft is yet to issue a patch for the latest Internet Explorer zero-day (CVE-2013-3893), reports are coming in that the flaw has been exploited more widely and for a longer time than initially believed.
Microsoft acknowledged the existence of the vulnerability and its active exploitation earlier this month, and has issued a Fix it tool to mitigate the danger until a patch can be released.
Since then, FireEye researchers have tied the attacks to the Chinese hacking group that hit Bit9 earlier this year, and have shared that the campaign (“Operation DeputyDog”) was aimed at Japanese organizations and started on August 19 at the latest.
Then, on Thursday, researchers from both AlienVault and Websense release their findings regarding the exploit used.
Researcher Jaime Blasco says that they have spotted it being hosted on a subdomain of Taiwan’s Government e-Procurement System, and discovered that visitors who visited the main page for the first time would be instantly redirected to the exploit page and served with a malicious file.
But not all visitors were targeted – just those whose Windows XP or Windows 7 systems were / are running in English, Chinese, French, German, Japanese, Russian, Korean, and Portuguese, and use Internet Explorer 8 or 9.
Alex Watson confirmed the Taiwan connection.
“Our ThreatSeeker Intelligence Cloud reported a potential victim organization in Taiwan attempting to communicate with the associated malicious command and control server as far back as July 1, 2013. These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan,” he shared.
“Websense Threat Intelligence indicates that the threat actor’s attacks were not limited only to Japan as previously reported. The use of separate IP addresses, domain registrations, and permutations to dropper locations indicates a high degree of segmentation between attacks and different teams using the same tool sets, exploits and C&C infrastructure,” he added.