Incident Response, Malware, TDR, Vulnerability Management

Security forum website targeted in drive-by attack leveraging IE zero-day

A U.S.-based website used as a forum to discuss security policy has become host to a drive-by attack that leverages a zero-day vulnerability discovered in versions of Microsoft Internet Explorer (IE), researchers have discovered.

The cyber sleuths with network security company FireEye exposed the vulnerability on Friday and Ned Moran, a senior malware researcher at FireEye, told SCMagazine.com on Monday that evidence suggests the attackers responsible for ‘Operation DeputyDog' in August are also at work here.

The FireEye research team is referring to this recent attack – involving a variant of a payload known as Trojan.APT.9002 – as Operation Ephemeral Hydra.

“The attackers [are] able to remotely seize control of a victim's machine and exfiltrate data,” Moran said, explaining FireEye has only identified one impacted website so far. “We suspect that website was targeted because the attackers were interested in infecting individuals interested in U.S. national security and international security policy.”

The operators of the affected security website, which became the drive-by attack against visitors, has asked FireEye not to reveal its URL, Mike Scott, senior staff threat analyst at FireEye, told SCMagazine.com on Monday.

The zero-day takes advantage of a timestamp vulnerability affecting IE 7 and 8 on Windows XP and IE 9 on Windows 7, according to the post, which states that a memory access vulnerability designed to work with IE 7 and 8 on Windows XP and Windows 7 is also abused.

“The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages,” according to the post. “Based on our analysis, this vulnerability affects IE 7, 8, 9, and 10.

Until Microsoft issues an IE patch, Moran suggests that users avoid using the popular web browser.

“The fact that the attackers used a non-persistent first stage payload suggests that they are confident in both their resources and skills,” Moran said. “As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organizations.”

This zero-day vulnerability has nothing to do with a recently announced zero-day impacting versions of Microsoft Office and said by researchers to be targeting Pakistan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.