Security forum website targeted in drive-by attack leveraging IE zero-day

Share this article:
The website, used as a forum to discuss security policy, has become host to a drive-by attack.
The website, used as a forum to discuss security policy, has become host to a drive-by attack.

A U.S.-based website used as a forum to discuss security policy has become host to a drive-by attack that leverages a zero-day vulnerability discovered in versions of Microsoft Internet Explorer (IE), researchers have discovered.

The cyber sleuths with network security company FireEye exposed the vulnerability on Friday and Ned Moran, a senior malware researcher at FireEye, told SCMagazine.com on Monday that evidence suggests the attackers responsible for ‘Operation DeputyDog' in August are also at work here.

The FireEye research team is referring to this recent attack – involving a variant of a payload known as Trojan.APT.9002 – as Operation Ephemeral Hydra.

“The attackers [are] able to remotely seize control of a victim's machine and exfiltrate data,” Moran said, explaining FireEye has only identified one impacted website so far. “We suspect that website was targeted because the attackers were interested in infecting individuals interested in U.S. national security and international security policy.”

The operators of the affected security website, which became the drive-by attack against visitors, has asked FireEye not to reveal its URL, Mike Scott, senior staff threat analyst at FireEye, told SCMagazine.com on Monday.

The zero-day takes advantage of a timestamp vulnerability affecting IE 7 and 8 on Windows XP and IE 9 on Windows 7, according to the post, which states that a memory access vulnerability designed to work with IE 7 and 8 on Windows XP and Windows 7 is also abused.

“The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages,” according to the post. “Based on our analysis, this vulnerability affects IE 7, 8, 9, and 10.

Until Microsoft issues an IE patch, Moran suggests that users avoid using the popular web browser.

“The fact that the attackers used a non-persistent first stage payload suggests that they are confident in both their resources and skills,” Moran said. “As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organizations.”

This zero-day vulnerability has nothing to do with a recently announced zero-day impacting versions of Microsoft Office and said by researchers to be targeting Pakistan.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.