IE 0-day used in watering hole attack tied to previous campaigns

An Internet Explorer zero-day vulnerability (CVE-2014-0322) is actively exploited in the wild in a watering-hole attack targeting visitors to the official website of the U.S. Veterans of Foreign Wars, FireEye researchers warned on Thursday.

“It’s a brand new zero-day that targets IE 10 users visiting the compromised website – a classic drive-by download attack. Upon successful exploitation, this zero-day attack will download a XOR encoded payload from a remote server, decode and execute it,” they explained.

“We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns (Operation DeputyDog and Operation Ephemeral Hydra),” they added in an later blog post.

This new campaign has been dubbed “Operation SnowMan,” and the similarities with the aforementioned earlier campaigns are many: exploitation of an IE zero-day, delivery of remote access Trojan (Gh0st RAT), “watering hole” exploit delivery method, related C&C infrastructure, the use of a simple single-byte XOR encoded (0?—95) payload obfuscated with a .jpg extension.

“The exploit targets IE 10 with Adobe Flash. It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET),” they shared, and pointed out that installing EMET or updating to IE 11 are perfect mitigation measures.

It is believed that the same actors have likely orchestrated all these campaigns. So far, the targets were US government agencies, defense companies, IT and law firms, NGOs, mining companies, so it’s safe to say they were cyber espionage campaigns geared at stealing confidential information.

Websense researchers say they have discovered the use of this same vulnerability as early as January 20, 2014 (FireEye detected the exploit on February 11), and that the targets were the visitors to a fake site mimicking that of the French aerospace association GIFAS, which includes contractors and firms in both the military and civilian aircraft industry.

Again, the similarities between Operation SnowMan and this campaign aimed at GIFAS members are many, giving rise to the belief that the actors behind them are the same ones.

Don't miss