U.S. Department of Labor website was serving zero-day Internet Explorer 8 exploit

Share this article:
U.S. Department of Labor website was serving zero-day Internet Explorer 8 exploit
U.S. Department of Labor website was serving zero-day Internet Explorer 8 exploit

Researchers now believe that a "watering hole" attack targeting the U.S. Department of Labor (DoL) website served an exploit that took advantage of a previously unknown vulnerability in Internet Explorer (IE) 8.

Prior, analysts who studied the attack thought the malware leveraged an already-patched vulnerability, making the danger level less worrisome because all users would have to do to avoid infection is to apply the available security updates.

But that tune changed when Microsoft on Friday issued an advisory warning that attackers are actively exploiting a remote-execution, zero-day flaw in IE 8, meaning there is no fix available. IE 8 is the only version of the browser impacted by the bug.

Eddie Mitchell, an engineer at security firm Invincea, said in a Friday blog post that this is the vulnerability that was being attacked on the DoL site. A malicious script on several of the pages directed victims to an attacker-owned site serving the Poison Ivy remote access trojan.

The compromised DoL pages, for the Site Exposure Matrices (SEM), have been cleaned, but they remain offline. SEM contains a database "designed to organize, display, and communicate information on the toxic substances found at [nuclear] sites and possible health effects associated with exposure to those substances." 

Attackers appear to be targeting U.S. Department of Energy contractors visiting the site for compensation information related to illnesses they may have contracted after being exposed to radioactive substances.

The Labor Department said in a statement: "The website was immediately taken offline and the department began working with appropriate internal and external authorities to investigate and to mitigate any potential impacts. The website will remain offline until DoL completes its initial investigation. At this time, there is no evidence of compromise to or loss of DoL information."

Watering hole attacks are an increasingly common espionage ploy in which adversaries compromise the web pages that their targets are likely to visit, in this case, individuals working on nuclear weaponry. 

Microsoft is next scheduled to release a security update on May 14. It's unclear if a fix for this vulnerability will be included, or if the software giant will issue something out of its normal cycle.

UPDATE: The DoL isn't the only website affected, according to researchers at security firm AlienVault. They reported in a blog post on Sunday that no fewer than nine other sites also were clandestinely seeded with the zero-day exploit. 

Another security vendor, CrowdStrike, said it has traced back the watering hole campaign to mid-March, with most of the attacks targeting victims in the United States. Each of the affected sites are related to energy-related organizations.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.