Threat Intelligence, Incident Response, TDR, Vulnerability Management

Attackers compromise U.S. veterans site to serve IE zero-day exploit


Researchers have discovered that a U.S. veterans website was compromised to serve a zero-day exploit – and that attackers likely launched the campaign to steal intel from military service members.  

On Thursday, FireEye revealed in a blog post that the exploit targets IE 10 by way of the popular Adobe Flash plug-in.

In the attack campaign, dubbed “Operation SnowMan,” the U.S. Veterans of Foreign Wars' website was booby trapped as a means of infecting visitors, the firm found. According to the blog post, hackers “added an IFRAME into the beginning of the website's HTML code that loads the attacker's page in the background,” so that victims are none the wiser of the attack.

“The attacker's HTML/JavaScript page runs a Flash object, which orchestrates the remainder of the exploit,” the blog post said. “The exploit includes calling back to the IE 10 vulnerability trigger, which is embedded in the JavaScript.”

FireEye also found that the exploit dropped a malicious payload that executes a ZxShell backdoor, an attack tool often used for cyber espionage purposes.

The news of the zero-day threat, comes just days after Microsoft released its monthly security update on Patch Tuesday for buggy software.

On Friday, a Microsoft spokesperson confirmed with that it was aware of “limited targeted attacks against Internet Explorer 10.”

“Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected," the spokesperson said. "We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection.”

Other security firms have also begun to weigh in on the active zero-day attacks, including Symantec, which said on Friday that it was investigating reports on the threat.

On Thursday, Alex Watson, director of security research at Websense Labs, said in a blog post that its research team had discovered the use of the zero-day vulnerability (CVE-2014-0322) as early as Jan. 20.

Websense's findings focused on separate attacks that targeted the French aerospace sector, however, by delivering the exploit through a spurious URL, meant to look like the web address for the official French Aerospace Industries Associations (GIFAS) site.

“The CVE-2014-0322 exploit has been seen hosted and delivered from the following URL, which was first seen by Websense on January 20, 2014: hxxp:// [which] is presumably a fake site meant to look like hxxp://, which is a French aerospace association,” Watson wrote.

Both Websense and FireEye noted familiar attack methods used by the perpertrators, which led them to link the attacks with those carried out in Operation DeputyDog and Operation Ephemeral Hydra.

In those campaigns, saboteurs also strategically used web compromise, in combination with zero-day exploits, to infect victims with remote access trojans.

Back in November, another U.S.-based website, which was used as a forum to discuss security policy, was compromised to scale an IE zero-day attack campaign.

To avoid attack, FireEye advised users update their web browser to IE 11 or to install Microsoft's Experience Mitigation Toolkit (EMET), as the exploit did not function with those installations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.