430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

FireEye has identified a new IE zero-day exploit

FireEye Labs has identified a new IE zero-day exploit used for a watering hole attack in the US. As usual it is crucial to track and mitigate so dangerous threats in time to avoid serious problems. FireEye Labs has detected a new series of attacks based on the exploit of a new IE zero-day vulnerability […]

FireEye has identified a new IE zero-day exploit

FireEye Labs has identified a new IE zero-day exploit used for a watering hole attack in the US. As usual it is crucial to track and mitigate so dangerous threats in time to avoid serious problems.

FireEye Labs has detected a new series of attacks based on the exploit of a new IE zero-day vulnerability in IE browser. The attackers breached a website based in the US to deploy the exploit code to conduct a classic watering hole attack.

The discovery was announced just a few days after Microsoft revealed the Microsoft Zero-day CVE-2013-3906, it is a vulnerability in a Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email. The zero-day vulnerability was found in Microsoft products and allows attackers to install a malware via infected Word documents and target Microsoft Office users running on Windows Vista and Windows Server 2008.

 

IE zero-day watering hole

 

The new IE zero-day vulnerability detected by FireEye affects Windows XP with IE 8 and Windows 7 with IE 9, the exploit targets the English version of Internet Explorer, but according the experts it can be easily changed to leverage other languages.

Experts at FireEye confirmed that the exploit recently detected leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution, that attackers use the timestamp from the PE headers ofmsvcrt.dll to select the proper exploit.

“The information leak uses a very interesting vulnerability to retrieve the timestamp from the PE headers of msvcrt.dll. The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of msvcrt.dll.”  explained the researcher Xiaobo Chen and Dan Caselden in the post published by FireEye.

The analysis conducted by the research team at FireEye revealed this IE zero-day affects IE 7, 8, 9 and 10, and as happened for the Microsoft Zero-day CVE-2013-3906 , it can be mitigated by EMET per Microsoft’s feedback.

Very interesting the shellcode, the exploit implements a multi-stage shellcode payload that upon successful exploitation, it will launch rundll32.exe (with CreateProcess), and inject and execute its second stage (with OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread). The second stage download an executable and run it from disk.

FireEye experts announced the collaboration with the Microsoft Security team on research activities and the ongoing investigation, the post published has the intent to alert IT community on malicious activities. FireEye, as confirmed by the post title, believes that the IE zero-day exploit could be used for Watering Hole Attack with specific intent to hit groups of individuals of specific interest for the attackers.

Let me add that a similar attack could be classifiable in one the following categories:

  • State-sponsored attacks that limited the audience to hit to remain under coverage. State sponsored attacks could be linked to government units or to group of cyber mercenaries, like the case of Icefog team discovered by Kaspersky Lab team.
  • Malware based attacks that are conducted by cyber criminal for testing purpose. The malicious code is hosted on breached website visited by a limited portion of Internet users, in this way they retrieve important information to improve the malicious agent avoiding to be detected by security firms.

I cannot be more precise without having information on the nature of the targeted website and the complexity of source code used by the attackers

Pierluigi Paganini

(Security Affairs – Hacking, IE zero-day)