UPDATE – Another high profile watering hole attack has been discovered, this one targeting visitors to the Council on Foreign Relations website.

The CFR is a Washington, D.C.-based think tank that provides foreign policy and foreign affairs resources to government officials, journalists, and business and education leaders. Its list of directors and members includes public figures such as former secretaries of state Madeleine K. Albright and Colin L. Powell, former treasury secretary Robert Rubin, former ambassador Carla A. Hills, former NBC anchor Tom Brokaw and many other influential industry leaders.

Watering hole attacks target topically connected websites that an attacker believes members of a particular organization will visit often. An attacker will infect the website with malware which stings visitors in drive-by attacks. The site visitors are the ultimate targets; attackers are generally state-sponsored and hope to spy on their victims’ activities and siphon off business or military intelligence, experts say.

Watering hole attacks were used in the 2009 Aurora attacks on Google, Adobe and numerous other large technology and manufacturing companies. The tactic was also used in the Gh0stNet attacks, a widespread espionage campaign beginning in 2009 against numerous government agencies and embassies worldwide.

Security company FireEye reported Friday night that the CFR website had been compromised as early as Dec. 21 and was still hosting malware last Wednesday, the day after Christmas. Researchers there said the attackers were exploiting a zero-day vulnerability in Microsoft’s Internet Explorer browser.

“We can confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability,” wrote FireEye’s Darien Kindlund on the company’s blog. “We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.”

Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing said in an email to Threatpost the zero day is in IE 6-8 and that the impact is limited.

“We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted,” said Childs.

A further look into the exploit reveals that JavaScript hosting the exploit only triggers against browsers set to English, Chinese (China and Taiwan), Japanese, Korean and Russian. The exploit also uses cookies to deliver the attack once per user; it also tracks when the infected page was last visited via cookies, Kindlund said.

“Once those initial checks passed, the JavaScript proceeded to load a Flash file today.swf which ultimately triggered a heap spray in Internet Explorer in order to complete the compromise of the endpoint,” Kindlund said.

Once the attacker owns the browser, the exploit downloads a dropper called xsainfo.jpg.

One of the largest waterholing attacks was carried out over the course of a month starting in June, according to RSA’s FirstWatch research team. The VOHO attack targeted government websites in Maryland, a regional bank in Massachusetts and several websites promoting democracy in oppressed regions of the world.

The Gh0St RAT malware was used in those attacks, which also included the defense industrial base, education and political activism sites in D.C. and Boston. Gh0StNet is a remote access Trojan, and once it infects a victim, it carries out surveillance activities such as logging keystrokes, opening embedded webcams or microphones, run code remotely and exfiltrate files. Gh0StRAT also connects and sends data to command and control servers. It has been tied to numerous state-sponsored attacks.

This article was updated Dec. 29 at 1:30 p.m. ET to add comments from Microsoft.

Categories: Critical Infrastructure, Malware, Vulnerabilities

Comments (3)

  1. Anonymous
    1

    Every year there’s a Microsoft 0-day this time of year.

    The notable thing this year: who cares?

    It’s not like 2006 when the world was truly at risk.

    A bunch of foggies using an old version of IE on a government/NGO site.

    Yeah, that’s Microsoft these days: old crap used by old people.

  2. vasupapanna
    2

    sir i am using hp laptop,windowsXP,my windows tools,diagnose connection problems,HCL probloms, FTP problom somany probloms, becouse i new use parson so please give me RESET mathed

  3. alternate day fasting ketosis
    3

    Fantastic website you have here but I was curious if you knew of any community forums that cover the same topics discussed in this article?
    I’d really like to be a part of group where I can get opinions from other knowledgeable people that share the same interest. If you have any recommendations, please let me know. Thanks!

Comments are closed.