U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

FireEye discovered a new zero-day exploit for IE in the wild – Operation Clandestine Fox

FireEye Research Labs has identified a new IE zero-day vulnerability exploited in a series of targeted attacks part of the Operation Clandestine Fox. FireEye Research Labs has identified a new Internet Explorer (IE) zero-day vulnerability exploited in a series of targeted attacks. The zero-day flaw affects a wide range of versions of the popular browser, […]

FireEye discovered a new zero-day exploit for IE in the wild – Operation Clandestine Fox

FireEye Research Labs has identified a new IE zero-day vulnerability exploited in a series of targeted attacks part of the Operation Clandestine Fox.

FireEye Research Labs has identified a new Internet Explorer (IE) zero-day vulnerability exploited in a series of targeted attacks. The zero-day flaw affects a wide range of versions of the popular browser, from IE6 to IE11, but experts at FireEye, observed the attack is targeting IE9 through IE11.

The impact of the zero-day exploit is significant because affected versions represent about a quarter of the total browser market according to NetMarket Share:

  • IE 9      13.9%
  • IE 10    11.04%
  • IE 11     1.32%

Also in this case the flaw is a remote code execution vulnerability, it allows attackers to bypass both ASLR and DEP, Microsoft has assigned to the flaw the code CVE-2014-1776 and issued a specific security advisory.

“Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

The experts have identified an ongoing campaign named “Operation Clandestine Fox”, but haven’t provided further details on it to avoid interfering with the investigation.

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.” reports the official post from FireEye.

While Microsoft confirmed that Enhanced Mitigation Experience Toolkit (EMET) could mitigate the threat, breaking the exploit in user’s environment, FireEye confirmed the attack will not work without the presence of Adobe Flash, this means that disabling the Flash plugin within IE will prevent the exploit from functioning.

“Does EMET help mitigate attacks that try to exploit this vulnerability? 
Yes. The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.” reports the advisory issued by Microsoft.

The experts at FireEye reported another intriguing detail on the investigation, the APT group responsible for this zero-day exploit “has been the first group to have access to a select number of browser-based 0-day exploits” in the past.

The group appears particularly active and adopted all necessary countermeasures to avoid to be tracked, the bad actors have different backdoors in their arsenal and never reused the same command and control infrastructures.

FireEye investigations allowed to the security industry to discover eleven zero-day vulnerabilities during 2013, the company analyzed almost 40,000 unique, advanced attacks, over 100 per day.

FireEye zero-day 2013

Stay tuned FireEye will provide further data as soon as possible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Microsoft zero-day, FireEye)

[adrotate banner=”5″]

[adrotate banner=”13″]