Security forum website targeted in drive-by attack leveraging IE zero-day

Share this article:
The website, used as a forum to discuss security policy, has become host to a drive-by attack.
The website, used as a forum to discuss security policy, has become host to a drive-by attack.

A U.S.-based website used as a forum to discuss security policy has become host to a drive-by attack that leverages a zero-day vulnerability discovered in versions of Microsoft Internet Explorer (IE), researchers have discovered.

The cyber sleuths with network security company FireEye exposed the vulnerability on Friday and Ned Moran, a senior malware researcher at FireEye, told SCMagazine.com on Monday that evidence suggests the attackers responsible for ‘Operation DeputyDog' in August are also at work here.

The FireEye research team is referring to this recent attack – involving a variant of a payload known as Trojan.APT.9002 – as Operation Ephemeral Hydra.

“The attackers [are] able to remotely seize control of a victim's machine and exfiltrate data,” Moran said, explaining FireEye has only identified one impacted website so far. “We suspect that website was targeted because the attackers were interested in infecting individuals interested in U.S. national security and international security policy.”

The operators of the affected security website, which became the drive-by attack against visitors, has asked FireEye not to reveal its URL, Mike Scott, senior staff threat analyst at FireEye, told SCMagazine.com on Monday.

The zero-day takes advantage of a timestamp vulnerability affecting IE 7 and 8 on Windows XP and IE 9 on Windows 7, according to the post, which states that a memory access vulnerability designed to work with IE 7 and 8 on Windows XP and Windows 7 is also abused.

“The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages,” according to the post. “Based on our analysis, this vulnerability affects IE 7, 8, 9, and 10.

Until Microsoft issues an IE patch, Moran suggests that users avoid using the popular web browser.

“The fact that the attackers used a non-persistent first stage payload suggests that they are confident in both their resources and skills,” Moran said. “As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organizations.”

This zero-day vulnerability has nothing to do with a recently announced zero-day impacting versions of Microsoft Office and said by researchers to be targeting Pakistan.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.