Last week Microsoft has announced that today’s Patch Tuesday will include a fix for the critical IE zero-day vulnerability that was found exploited in watering hole attacks earlier this year – and none too soon, as a number of bad actors have been using the same exploit code in other similar attack since then.
Initially, the exploit was used to compromise the visitors of a fake French aerospace association GIFAS site and the legitimate but compromised website of the US Veterans of Foreign Wars. Seculert researchers believe that the two attacks weren’t executed by the same group, but that the two groups bought the attack code from the same black market seller.
But in the last month or so, Websense has detected three more websites compromised to either redirect to the exploit or to serve it, as the exploit code has obviously ended up in the public domain.
First is hatobus.co.jp, the site of a popular Japanese transportation website that gets as much as 25,000 visitors each week.
In this particular case, the attackers used both this and exploit code for a Java vulnerability (CVE-2013-2465) to double the chances of success, and the victims would ultimately be saddled with a banking Trojan harvesting credentials for two Japanese banking sites.
The other two compromised websites belong to a Taiwanese English School and to Hong Kong University’s Chemistry Department. The former had the exploit on the main page.
“It’s evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries,” the researchers pointed out.
“We could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it ‘evolved’ in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected ‘under the radar’ targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware.”