Researchers now believe that a “watering hole” attack targeting the U.S. Department of Labor (DoL) website served an exploit that took advantage of a previously unknown vulnerability in Internet Explorer (IE) 8.
Prior, analysts who studied the attack thought the malware leveraged an already-patched vulnerability, making the danger level less worrisome because all users would have to do to avoid infection is to apply the available security updates.
But that tune changed when Microsoft on Friday issued an advisory warning that attackers are actively exploiting a remote-execution, zero-day flaw in IE 8, meaning there is no fix available. IE 8 is the only version of the browser impacted by the bug.
Eddie Mitchell, an engineer at security firm Invincea, said in a Friday blog post that this is the vulnerability that was being attacked on the DoL site. A malicious script on several of the pages directed victims to an attacker-owned site serving the Poison Ivy remote access trojan.
The compromised DoL pages, for the Site Exposure Matrices (SEM), have been cleaned, but they remain offline. SEM contains a database “designed to organize, display, and communicate information on the toxic substances found at [nuclear] sites and possible health effects associated with exposure to those substances.”
Attackers appear to be targeting U.S. Department of Energy contractors visiting the site for compensation information related to illnesses they may have contracted after being exposed to radioactive substances.
The Labor Department said in a statement: “The website was immediately taken offline and the department began working with appropriate internal and external authorities to investigate and to mitigate any potential impacts. The website will remain offline until DoL completes its initial investigation. At this time, there is no evidence of compromise to or loss of DoL information.”
Watering hole attacks are an increasingly common espionage ploy in which adversaries compromise the web pages that their targets are likely to visit, in this case, individuals working on nuclear weaponry.
Microsoft is next scheduled to release a security update on May 14. It’s unclear if a fix for this vulnerability will be included, or if the software giant will issue something out of its normal cycle.
UPDATE: The DoL isn’t the only website affected, according to researchers at security firm AlienVault. They reported in a blog post on Sunday that no fewer than nine other sites also were clandestinely seeded with the zero-day exploit.
Another security vendor, CrowdStrike, said it has traced back the watering hole campaign to mid-March, with most of the attacks targeting victims in the United States. Each of the affected sites are related to energy-related organizations.