Hackers leveraging IE zero-day used watering hole attacks to compromise users

Share this article:
At least three major media sites in Japan were infected, FireEye researchers found.
At least three major media sites in Japan were infected, FireEye researchers found.

Hackers booby trapped popular websites in Japan to exploit a zero-day flaw in Internet Explorer, researchers found.

According to FireEye, the targeted attacks prompted Microsoft's warning to users last week: that an unpatched vulnerability in IE (CVE-2013-3893) was being exploited by saboteurs.

In a Monday interview with SCMagazine.com, Darien Kindlund, manager of threat intelligence at FireEye, said that at least three major Japanese media websites were compromised in watering hole attacks - when miscreants infect sites frequently visited by their targets.

“The verticals that were affected span from Japanese government [organizations], to manufacturing and high-tech companies,” Kindlund said, later adding that the attackers “may have been interested in one vertical, but the others were collateral damage.”

In a Saturday blog post, FireEye detailed the findings, confirming reports that Microsoft's warnings stemmed from attacks in Japan. Security firm Qualys first made mention of the targeted attacks being limited to Japanese users last Tuesday, the same day Microsoft released a temporary fix for the zero-day.

The zero-day is a remote code execution vulnerability in IE 8 and 9, though the issue could impact users running all supported versions of the web browser.

Kindlund noted that one of the infected websites pulled in a high traffic count before the security issue was fixed.

“From one of the media sites, there were at least 75,000 visits made to the website before that exploit was discovered [and] it was taken down. The earliest report we have of [that] media site serving up the exploit was Sept. 5,” Kindlund said.

FireEye did not disclose which sites were infected, but said that Japanese computer security authorities were working with the media outlets to remediate the issue.

FireEye dubbed the campaign leveraging the zero-day “Operation Deputy Dog.” The company also believes the group compromised security firm Bit9 back in February due to IP addresses used by campaign operators in both attacks.

Kindlund said that the attackers appear to be a “large-scale intelligence gathering operation,” aiming to plant remote access tools (RATs) on victims' machines to carry out intellectual property theft or steal other corporate data.

On Monday, a Microsoft spokesperson declined to respond to inquiries about media sites being infected. Instead, the company advised users to employ the temporary fix for the zero-day flaw.

“There are only reports of a limited number of targeted attacks and customers who have installed the Fix It are not at risk from this issue,” a Microsoft spokesperson said. “We encourage customers who have not applied the Fix it provided by Security Advisory 2887505 to do so, to help ensure they are protected.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.