Attackers compromise U.S. veterans site to serve IE zero-day exploit

Share this article:

Researchers have discovered that a U.S. veterans website was compromised to serve a zero-day exploit – and that attackers likely launched the campaign to steal intel from military service members.  

On Thursday, FireEye revealed in a blog post that the exploit targets IE 10 by way of the popular Adobe Flash plug-in.

In the attack campaign, dubbed “Operation SnowMan,” the U.S. Veterans of Foreign Wars' website was booby trapped as a means of infecting visitors, the firm found. According to the blog post, hackers “added an IFRAME into the beginning of the website's HTML code that loads the attacker's page in the background,” so that victims are none the wiser of the attack.

“The attacker's HTML/JavaScript page runs a Flash object, which orchestrates the remainder of the exploit,” the blog post said. “The exploit includes calling back to the IE 10 vulnerability trigger, which is embedded in the JavaScript.”

FireEye also found that the exploit dropped a malicious payload that executes a ZxShell backdoor, an attack tool often used for cyber espionage purposes.

The news of the zero-day threat, comes just days after Microsoft released its monthly security update on Patch Tuesday for buggy software.

On Friday, a Microsoft spokesperson confirmed with SCMagazine.com that it was aware of “limited targeted attacks against Internet Explorer 10.”

“Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected," the spokesperson said. "We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection.”

Other security firms have also begun to weigh in on the active zero-day attacks, including Symantec, which said on Friday that it was investigating reports on the threat.

On Thursday, Alex Watson, director of security research at Websense Labs, said in a blog post that its research team had discovered the use of the zero-day vulnerability (CVE-2014-0322) as early as Jan. 20.

Websense's findings focused on separate attacks that targeted the French aerospace sector, however, by delivering the exploit through a spurious URL, meant to look like the web address for the official French Aerospace Industries Associations (GIFAS) site.

“The CVE-2014-0322 exploit has been seen hosted and delivered from the following URL, which was first seen by Websense on January 20, 2014: hxxp://gifas.assso.net [which] is presumably a fake site meant to look like hxxp://gifas.asso.fr, which is a French aerospace association,” Watson wrote.

Both Websense and FireEye noted familiar attack methods used by the perpertrators, which led them to link the attacks with those carried out in Operation DeputyDog and Operation Ephemeral Hydra.

In those campaigns, saboteurs also strategically used web compromise, in combination with zero-day exploits, to infect victims with remote access trojans.

Back in November, another U.S.-based website, which was used as a forum to discuss security policy, was compromised to scale an IE zero-day attack campaign.

To avoid attack, FireEye advised users update their web browser to IE 11 or to install Microsoft's Experience Mitigation Toolkit (EMET), as the exploit did not function with those installations.

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.