Recently patched IE 0-day abused in APT attacks
When Microsoft issued an out-of-band security update to patch the zero day Internet Explorer vulnerability on May 1, it was revealed by researchers from security company FireEye that the bug was being actively exploited by attackers targeting US-based defense and financial firms.
At the time, they refrained from sharing more details about the attacks, but said that the attackers were after information and that they are a sophisticated group that “has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past.”
“They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure. They have a number of backdoors including one known as Pirpi,” they added.
A few days later, FireEye has revealed that they have spotted new threat actors using the exploit in attacks and have expanded the industries they are targeting.
Finally, at the AusCERT Conference taking place this week in Australia, the company has confirmed that at least two Australian entities were also targeted in the same attacks, and that the group has been given the exploit by a “digital quartermaster” operation whose existence they postulated last year.
The APT group that performed the attacks is more than likely state-sponsored, FireEye engineering manager Rich Costanzo shared with The Register, and consists of various teams that perform different attacks.
“The Australian organisations were targeted by a section of the group called ‘team B’, which was less concerned with being identified by researchers and less meticulous in altering its attack techniques.”