Threat Intelligence, Incident Response, TDR, Vulnerability Management

Hackers leveraging IE zero-day used watering hole attacks to compromise users

Hackers booby trapped popular websites in Japan to exploit a zero-day flaw in Internet Explorer, researchers found.

According to FireEye, the targeted attacks prompted Microsoft's warning to users last week: that an unpatched vulnerability in IE (CVE-2013-3893) was being exploited by saboteurs.

In a Monday interview with, Darien Kindlund, manager of threat intelligence at FireEye, said that at least three major Japanese media websites were compromised in watering hole attacks - when miscreants infect sites frequently visited by their targets.

“The verticals that were affected span from Japanese government [organizations], to manufacturing and high-tech companies,” Kindlund said, later adding that the attackers “may have been interested in one vertical, but the others were collateral damage.”

In a Saturday blog post, FireEye detailed the findings, confirming reports that Microsoft's warnings stemmed from attacks in Japan. Security firm Qualys first made mention of the targeted attacks being limited to Japanese users last Tuesday, the same day Microsoft released a temporary fix for the zero-day.

The zero-day is a remote code execution vulnerability in IE 8 and 9, though the issue could impact users running all supported versions of the web browser.

Kindlund noted that one of the infected websites pulled in a high traffic count before the security issue was fixed.

“From one of the media sites, there were at least 75,000 visits made to the website before that exploit was discovered [and] it was taken down. The earliest report we have of [that] media site serving up the exploit was Sept. 5,” Kindlund said.

FireEye did not disclose which sites were infected, but said that Japanese computer security authorities were working with the media outlets to remediate the issue.

FireEye dubbed the campaign leveraging the zero-day “Operation Deputy Dog.” The company also believes the group compromised security firm Bit9 back in February due to IP addresses used by campaign operators in both attacks.

Kindlund said that the attackers appear to be a “large-scale intelligence gathering operation,” aiming to plant remote access tools (RATs) on victims' machines to carry out intellectual property theft or steal other corporate data.

On Monday, a Microsoft spokesperson declined to respond to inquiries about media sites being infected. Instead, the company advised users to employ the temporary fix for the zero-day flaw.

“There are only reports of a limited number of targeted attacks and customers who have installed the Fix It are not at risk from this issue,” a Microsoft spokesperson said. “We encourage customers who have not applied the Fix it provided by Security Advisory 2887505 to do so, to help ensure they are protected.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.