Attackers exploiting a zero-day vulnerability in Microsoft’s Internet Explorer browser have compromised several popular local Japanese media outlets and have infected systems belonging to government, high tech and manufacturing organizations in Japan.
Researchers at FireEye said the attacks appear to be a large-scale intelligence gathering operation and are dropping a knock-off of the McRAT remote access malware to exfiltrate data from compromised computers. It is unclear whether the sites used in the watering hole attack have been cleaned up, said Darien Kindlund, manager of threat intelligence at FireEye, who said his company has been in contact with CERTs in Japan about the issue.
The news of the attacks coupled with the severity of the IE zero day prompted the SANS Internet Storm Center to raise its threat level over the weekend. In the meantime, IE users are still being urged to install a FixIt tool as a temporary mitigation for the vulnerability until a patch is released. Experts believe Microsoft will issue an out-of-band patch before its next Patch Tuesday release on Oct. 8. Microsoft would not comment on a timeline in fielding a request from Threatpost. Meanwhile, Metasploit engineers continue to work on an exploit module for this vulnerability, but to date, one is not yet available, a company spokesperson said.
The targeted attacks on Japanese organizations were reported by Qualys a week ago when Microsoft issued an advisory that an unpatched IE bug affecting all versions back to IE 6 was being exploited; Microsoft released a FixIt tool and urged IE users to install that as a mitigation until a patch was ready.
Microsoft’s Neil Sikka wrote in the advisory that a sample its engineers had seen worked on Windows XP and Windows 7, attacking a Use After Free vulnerability in the browser’s mshtml.dll HTML rendering engine and that Javascript exploit was able to bypass ASLR. ASLR, or Address Space Layout Randomization, is a security feature available in Windows that helps secure products against buffer overflow attacks.
“This is as severe as any browser issue can be,” Rapid7 senior manager of security engineering Ross Barrett said. Kindlund agreed, adding that the vulnerability in question is the perfect fodder for a watering hole attack.
Unlike previous watering hole attacks such as those spotted earlier this year against the Council of Foreign Relations website, the javascript used to exploit a website will attempt to learn what it can about the endpoint it’s infecting, information such as operating system or browser version, Kindlund said.
“Why did it do that? Because the exploit it was serving up could be specific to the particular flavor of IE or patch level of the operating system,” he said. “In this case, because the exploit covers so many versions of IE, the attackers don’t need to set up precursor logic like that in the javascript. They can deliver the same exploit (over and over) and be confident it will work.”
Kindlund also notes that the attacks, which date back to Aug. 19, also coincide with major holidays and festivals in that part of the world; for example, today is Autumnal Equinox Day in Japan, a national holiday akin to Memorial Day in the U.S. Also, the China Moon Festival, a popular harvest festival, took place last week, meaning that fewer companies would be online and able to mitigate any issues.
FireEye named the attack Deputy Dog after a string found in the attack code. FireEye also said that it saw a payload executable file used against a Japanese target posing as an image file hosted on a Hong Kong server. Once it infects a host computer, it connects to a command and control server in South Korea over port 443; the callback traffic is unencrypted, despite its use of port 443, FireEye said, adding that a second sample it collected also connected to the same South Korean IP address.
FireEye said it also discovered a handful of malicious domains also pointing to the IP in South Korea, which allowed them to make the connection to an attack against security company Bit9 this year. The same email address that registered the South Korean server also registered a domain used in the attack on the security company.
“The exploit depends on a Microsoft Office DLL which has been compiled without Address Space Layout Randomization to locate the right memory segment to attack, but this DLL is extremely common and most likely will not lower the affected population by much,” said Qualys CTO Wolfgang Kandek. “While the attack is very targeted and geographically limited to Japan, it might not affect you at the moment. But with the publication of the shim, other attackers can now analyze the condition fixed and will be able to produce an equivalent exploit fairly quickly.”