APT3, a group believed to be behind “Operation Clandestine Fox,” is now using exploits targeting recently disclosed vulnerabilities in Windows, researchers at FireEye found.
One of the bugs, CVE-2014-6332, was fixed this Patch Tuesday and noted for being remotely exploitable for 18 years prior to the update. The Windows OLE Automation Array Remote Code Execution vulnerability presented a serious security issue to users, researchers warned, as it impacts every version of Microsoft Windows since Windows 95.
At the time, IBM X-Force Research manager Robert Freeman said that remote exploitation became possible with the release of Internet Explorer 3.0 in 1996, since Visual Basic Script (VBScript) was introduced. In an interview with SCMagazine.com, Freeman explained that exploitation of the bug would be a “tricky” feat, but also “very formulaic” to recreate once saboteurs came up with attack scenarios.
“The same VBScript code will cause the same outcome all of the time,” Freeman said in the interview.
Now, attacks exploiting the bug have appeared to come to fruition, as security firm FireEye detailed in a Friday blog post. According to the company, the Windows OLE bug, and a separate Windows privilege escalation vulnerability, CVE-2014-4113, have been targeted by the threat group called APT3.
Both bugs received a patch from Microsoft (4113 in October's Patch Tuesday and 6332 in this month's update), a sign that APT3 has apparently moved from leveraging zero-day exploits, to targeting victims with “known exploits or social engineering,” FireEye said.
In the Clandestine Fox campaign APT3 carried, the group was initially observed exploiting an Internet Explorer zero-day to deliver malware to users. Then the group switched up its tactics, wooing new victims via social engineering – in one instance, targeting an energy company by posing as a job applicant seeking employment.
The supposed applicant contacted an employee on a popular social networking site, and weeks later emailed a resume to the employee's personal email account, which contained a weaponized file designed to drop a backdoor called “Cookie Cutter.”
In the most recent wave of phishing lures beginning last Wednesday, dubbed “Operation Double Tap,” attackers sent malicious emails claiming to offer a free month's membership to a Playboy website, FireEye warned. On Oct. 28, APT3 was again observed sending spearphishing emails, which ultimately installed backdoor Cookie Cutter on vulnerable users' machines.
FireEye published indicators of compromise (IOCs) in its post.